Re: [OAUTH-WG] MTLS endpoints & discovery (was something else)
Filip Skokan <panva.ip@gmail.com> Wed, 20 February 2019 16:59 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E8112870E for <oauth@ietfa.amsl.com>; Wed, 20 Feb 2019 08:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bODFsqeIB0ol for <oauth@ietfa.amsl.com>; Wed, 20 Feb 2019 08:59:16 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43692130DC4 for <oauth@ietf.org>; Wed, 20 Feb 2019 08:59:16 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id x7so7325777wmj.0 for <oauth@ietf.org>; Wed, 20 Feb 2019 08:59:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PMSxtmQ0KpquVs2YsiI1/GYn+E3hikv89MvAfbSKNNc=; b=FX5PXvDu/yx4R9gFmG+GKvQLhY76/3CPM1eadyON3bdm/l0kJx9ecLJe3vFRzlpHvE M+xGYV5EfSw6nX2ItmhyBezPAvl3OUHcwfoBuXMHtLYFqMG3v2P3mHz2chm+9GkNKYst qbQDIRu01QMqfvaGQeNRFXX0F2JTgj2Svxnrx+30UchynsPBLBViAL9YVHCKdZZUctus 0JfcDTQfBqFyKyttdQPecy/xZQxH4OegrKWVLZkY9FBOK/GJ8j7HqLrt///WmcjE8lGH CK69blNkI1ULDmVeGh0GhRtv7cyLBG8WYlXsCiGZUzqnrYe6nSlrxHeOpRcyGyhRF1b+ JwOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PMSxtmQ0KpquVs2YsiI1/GYn+E3hikv89MvAfbSKNNc=; b=nYlboTaDgwuE+7N6y0zMohuklhhVfFzEPHL8q+vWl3dNpU/LzeOwZvnkFPCxIaExnU guvI0I40jjeq3LkMp/zJFl7v0pn7LslFLwdgULIGNGQIH+eeeUT5sApDJ46jDX0jtz56 45X6BKE0LQ+e6VZN9UvvAWn5rFd4m0NtpK8gIVmE9F2jPQDv+Tfo64YAgqi4CohyoOTQ hVjj6S5n1Tq1xlJ8wFiYwG2AvDJvWxzxpyZQqKOEUAC2lCkJpCAMDN0LE6gXeeKLcC2j 4P26VWVGUUvDKqUCULeZ8psr+e1toINQjryyzmZ5CXPyC/st9fE84z6LqKGj5tE13S0u cYNA==
X-Gm-Message-State: AHQUAuaoYBRQai2IvhOJP03gnx2y5RrYsmskhSI7z8lKOChtFx3i3mcH KagyTjwWtODSd0KSRIOOUtao0Ho=
X-Google-Smtp-Source: AHgI3IbijN29Dn4+FWXdSzyxNEAXx3CcjLUB5SAUjugKiTntJyyZrrnuXJOMOyMZu8iQ+/y3gLGEvQ==
X-Received: by 2002:a7b:c146:: with SMTP id z6mr2923945wmi.145.1550681953873; Wed, 20 Feb 2019 08:59:13 -0800 (PST)
Received: from [192.168.0.95] (ip-78-45-222-80.net.upcbroadband.cz. [78.45.222.80]) by smtp.gmail.com with ESMTPSA id a8sm9102258wmh.26.2019.02.20.08.59.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Feb 2019 08:59:12 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-7A56EC9C-B338-4858-A507-8FF52F6D1B9C"
Mime-Version: 1.0 (1.0)
From: Filip Skokan <panva.ip@gmail.com>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <CA+k3eCSXRMfyXtrvXv4y5-PMHnUQDFNSrhm8re_ogy3BAVf=UQ@mail.gmail.com>
Date: Wed, 20 Feb 2019 17:59:11 +0100
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <86C3D832-23BA-4300-AD55-4EEF9991AE88@gmail.com>
References: <CA+k3eCSXRMfyXtrvXv4y5-PMHnUQDFNSrhm8re_ogy3BAVf=UQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/caAG-3Veifz64Zocqji815Lb3R0>
Subject: Re: [OAUTH-WG] MTLS endpoints & discovery (was something else)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 16:59:19 -0000
+1, great summary Odesláno z iPhonu 20. 2. 2019 v 16:10, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>: > The objective is to allow the AS to provide MTLS negotiating endpoints on a different host and/or port so that any non-desirable side effects of requesting client certificates during the TLS handshake can be avoided for 'regular' clients that are not doing any MTLS. > > In all likelihood, I'd expect that any pair of MTLS and regular endpoints have the same application logic behind them. And that just the TLS setup that differs to accommodate the aforementioned objective. That means that they'd support the same client authentication methods but the MTLS endpoint would just be set up so as to get MTLS to work. When first considering it, that seemed a bit overreaching for the spec to come out and say and more of a deployment thing for the AS. But maybe being more prescriptive would reduce some of the professed problematic ambiguity. As mentioned in a previous message, referring to the mtls endpoints as aliases might be useful in indicating that they are the same endpoint that is just known and accessed differently based on the context of use. > > I'll grant that some of the wording in RFC 8414 can be awkward with respect to this kind of extension. Calling it a violation is a bit over the top though. And as much as we might try to write specs that are the final word, there's the realities of how usage and understanding unfold in practice. As one example, there's some discussion of the treatment of some of the metadata in this section of a blog post about a different spec being developed https://medium.com/@darutk/ciba-a-new-authentication-authorization-technology-in-2019-explained-by-an-implementer-d1e0ac1311b4#8a00. Maybe that's in violation of RFC 8414 or RFC 7591. Or maybe it's being pragmatic in the given circumstances. I suppose opinions will differ. > > It turns out that writing these specifications is kinda hard. Even when people share the same objective (and that's often not even the case), opinions can differ about what actually constitutes simplicity. It seems that's where we are now. > > My stance as an individual is that the mtls_endpoints (or mtls_endpoint_aliases) approach is reasonable and pragmatic and the most straightforward and simple of the options put forth (i.e.. vs a metadata parameter linking to or well-known locations to completely separate metadata documents). As an editor, I acknowledge that there's been disagreement about it while also noting again that the dissenting voices come from a vocal minority of a few individuals. > > > > >> On Mon, Feb 18, 2019 at 2:55 PM Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org> wrote: >> Neil’s example demonstrates how the mtls_endpoints approach leads to confusion. Consider the following metadata fragment: >> >> >> >> { >> >> “token_endpoint”: “https://as.example..com/token”, >> >> “token_endpoint_auth_methods_supported”: [ “client_secret_basic”, “tls_client_auth” ], >> >> “mtls_endpoints”: { >> >> “token_endpoint”: “https://as.example.com/mtls/token” >> >> } >> >> } >> >> >> >> Which of these statements about endpoints on https://as.example.com/ are true? >> >> The /token endpoint only supports client_secret_basic, and /mtls/token only supports tls_client_auth. >> The /token endpoint supports both methods, and /mtls/token only supports tls_client_auth. >> Both /token and /mtls/token support both methods. >> >> >> All of these could be reasonable interpretations of this metadata. When properties mean different things in different contexts, ambiguity abounds. >> >> >> >> -- >> >> Annabelle Richard Backman >> >> AWS Identity >> >> >> >> > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Brian Campbell
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Phil Hunt
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Filip Skokan
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… John Bradley
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Dave Tonge
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Dominick Baier
- Re: [OAUTH-WG] MTLS endpoints & discovery (was so… Neil Madden