Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
"Salz, Rich" <rsalz@akamai.com> Wed, 30 October 2019 17:19 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFF59120111 for <oauth@ietfa.amsl.com>; Wed, 30 Oct 2019 10:19:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0LNDrnIwrj0 for <oauth@ietfa.amsl.com>; Wed, 30 Oct 2019 10:19:41 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 027D812080D for <oauth@ietf.org>; Wed, 30 Oct 2019 10:19:41 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id x9UHCZiH020148; Wed, 30 Oct 2019 17:19:38 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=hotyJF4yxx4uhI4Px2GMsVwXjkXl50DfKq9hiDfqJPQ=; b=F3A8kRukGCWtSsw753f/CeFV0smQ1s22QmhYw1CAJ260F5Wn6/+Jsorz3yzkV+3qvKTa HgCf5i6yKe+uColZm6Z5S0bO4rv2Vg7FWn2SQT/jWUazeOM06J6RWd1ch3X1sphVNdJt ruvu8pIJ0eAtQgChkifDl46M/inSDgthErSNzy2RN7naZSQmhPsAU9jLd+PPzk6zI2DW lPhoY3PhJFnMOruhwY2+vyF6kne4n8R8ZNZwAw7S525jKiKs5FrlJfLur3DV4m3qA/oY +FZzuYv4fbLrKgX3BNhTWshjhXCq7OlRrWsyCckyCZEZyF8Su5jDAEHS8yWV6RzXZH8j 6g==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 2vxwgfc724-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Oct 2019 17:19:38 +0000
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x9UHI2i1018426; Wed, 30 Oct 2019 10:19:36 -0700
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint5.akamai.com with ESMTP id 2vxwfnsryx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 30 Oct 2019 10:19:36 -0700
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb2.msg.corp.akamai.com (172.27.123.59) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 30 Oct 2019 13:19:35 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 30 Oct 2019 13:19:35 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1473.005; Wed, 30 Oct 2019 13:19:35 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Neil Madden <neil.madden@forgerock.com>
CC: Justin Richer <jricher@mit.edu>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
Thread-Index: AQHVi20DwSDixrsmwUqaChyBzydqk6dtvDgAgAKKHACAACgPAIAAB5+AgAAQz4CAAb9SAIAA0ZsAgABfMACAAAkLAP//v+yAgABJiYD//+FxAIAASVSA///BWAA=
Date: Wed, 30 Oct 2019 17:19:34 +0000
Message-ID: <4D4F6A38-74ED-4243-A1BC-CE1823FC1ED9@akamai.com>
References: <2B2ACEE8-7B48-4E2D-94DA-AF3DA86DE809@mit.edu> <E58B4EB0-7E59-4A0C-B43F-263CEF0B955D@forgerock.com> <50867522-C1A5-4BE2-888A-910B352D1EC8@mit.edu> <4DFE9EE9-2A57-4F2F-B2E2-12217FE3CECE@forgerock.com> <96892FC9-87E8-472F-B989-3D41DF43D2CC@akamai.com> <1543ED50-D92F-4679-87F5-AE679E4184AB@forgerock.com> <011AB6F2-F178-4D8F-8589-70A4C9CEC47A@akamai.com> <68653C2D-E8BB-40F9-9C40-941B6A92E68A@forgerock.com>
In-Reply-To: <68653C2D-E8BB-40F9-9C40-941B6A92E68A@forgerock.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.191]
Content-Type: multipart/alternative; boundary="_000_4D4F6A3874ED4243A1BCCE1823FC1ED9akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-30_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=843 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910300152
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-30_07:2019-10-30,2019-10-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=832 spamscore=0 malwarescore=0 priorityscore=1501 phishscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 mlxscore=0 suspectscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910300152
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cI_e6BaPAJnLio1afkWq0mVcYH8>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 17:19:42 -0000
* To quote your previous claim: "There is no such thing as an unguessable name." Right. That doesn’t mean *I* have to guess it. * Even if your deployment team had such staggeringly bad operational security practices as to allow people to take packet captures from an internal network and show them on public slides without any kind of questions being asked, if this actually happens *YOU ARE NO WORSE OFF THAN IN THE SITUATION WHERE YOU USED A WELL-KNOWN HEADER NAME*! Yes you are worse off. Because that now-exposed header value can be used for spoofing. As opposed to protection by TLS, and then sending the plaintext message around. * I don't know how many different ways I can say that this is a defense in depth Because it is not. It is taking an application-level piece of configuration data and requiring it to be treated as if it were crypto material. Which it cannot be, because multiple parties need to know it (as I said, the proxy, the backend, the app developers, the support team, etc). It’s defense by “collapsing layers” rather than “in depth.” * As with all defense in depth, the aim is to be more than 1 configuration mistake away from total compromise. But that is exactly what you are proposing. Exposing the header *is* a total compromise and multiple entities will need to know that header value. At any rate, I think we’re done here.
- [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-intro… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Vladimir Dzhuvinov
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Rifaat Shekh-Yusef
- [OAUTH-WG] client certs and TLS Terminating Rever… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Justin Richer
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Justin Richer
- Re: [OAUTH-WG] client certs and TLS Terminating R… Torsten Lodderstedt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Torsten Lodderstedt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Jim Manico
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Torsten Lodderstedt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Richard Backman, Annabelle
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: client cer… Richard Backman, Annabelle
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Richard Backman, Annabelle
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: client cer… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Brian Campbell