[OAUTH-WG] DPoP followup II: confirmation style

Brian Campbell <bcampbell@pingidentity.com> Wed, 02 December 2020 22:29 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C313A159C for <oauth@ietfa.amsl.com>; Wed, 2 Dec 2020 14:29:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.693
X-Spam-Level:
X-Spam-Status: No, score=-0.693 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn_25fgA55Y9 for <oauth@ietfa.amsl.com>; Wed, 2 Dec 2020 14:29:08 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1D083A158F for <oauth@ietf.org>; Wed, 2 Dec 2020 14:29:07 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id l11so7311007lfg.0 for <oauth@ietf.org>; Wed, 02 Dec 2020 14:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=7BA4fB7ulUvaTKhtL72IoZHcfjfbNRijUeehwzWPsVk=; b=YJGEn2N3I4Ckm99CtFSXpYDAuJSOlnMD8zNv8N26gSN4HvvERttDvOOZjf9qDegTFh xGrdQKeAPLA0yssqtpfgElOnN97AJt1oIT0auu22s7QUOTTdkyIU7746Tc7HuaqK9yh9 xlwfTgnXsCq5btGTY2SEoC24g5ypaRfozRRU6uEJAqz9qjtKP1BPDUI4AcKLUdbTdZhv 55V4r8GCSJl7rCXZxGf+W58bfghj0w73koqhK0Ix9E6+ULbtPLCb87Bcr/2OumCWrPM9 vvUe2hn0p5hSmUV3oOm/AOQVTS2I0X4fnqgQ7+PjAaCoOD/EVJobEO4RCU6a2JZ+1cIo urAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7BA4fB7ulUvaTKhtL72IoZHcfjfbNRijUeehwzWPsVk=; b=qCf2ZcsoCG26JD3pOLE0BjwauyruPx5W2bQ91BdlyeF96MT7Ua2v3o8frvuMpd4pf2 KOtFg3c+an4tvOGGY+CzmolAMQVD22UEHYMCulzVxXvtdYXRCJ2O7J3RUEd2MJpRxnzw PwBsHk53oeHa9P5QEXeuBEzTZqyDgX/tqxWuUyMI/vol0MCftK7uw5Myg8AJH9ZkxPM4 +HvKVHAaYqjJv7ql8/EBlDqTAgqLSSLURG28CzIMU+46g3oLyMsSXhKrtIOgzDlb85rj ZUxwi97z4wANxcGwJ5XG0nA3Rb+TfLIFHFLljzsJloMNG8P04ttIHbaFbo8A/v0Ore1I fKuQ==
X-Gm-Message-State: AOAM533947VAbA66Xyth1VdaddASmi3mq9Y4yt8XOnxy1ax+vDXUmBwx rl9sOpCNph8qEQLzuu6d4/9phzp551XiTwy7Wdv7L1X1qUoMsYM+1JSmOpKqRzOXv0pC8D4ICIK gFm0NBoas/LS3tw5R4Hvn7Q==
X-Google-Smtp-Source: ABdhPJyT+UDNCEpr7RL7VB7HPHVGACPfAOsbJEqTG++m6GclcK5gIIaiCHa3xMDyRe0DIVm9od+J86+Wj3anlYlQoUQ=
X-Received: by 2002:a19:5215:: with SMTP id m21mr91648lfb.407.1606948143427; Wed, 02 Dec 2020 14:29:03 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 2 Dec 2020 15:28:37 -0700
Message-ID: <CA+k3eCTtE_S5J77R-XkYdWqe0rn_55jT5b=w9MiT+LXJ7OAvUQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="000000000000433d7005b582c50b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/czEMDA9zByycJrkP2vKtISc5wrI>
Subject: [OAUTH-WG] DPoP followup II: confirmation style
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 22:29:10 -0000

There were a few items discussed somewhat during the recent interim
<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth>
that I committed to bringing back to the list. The slide below (also
available with some typos and omitted words as slide #18 from the interim
presentation
<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>)
is the second one. To summarize (by basically repeating the content of the
slide): It’s been suggested that, for resource access, having the JWK in
the header of the DPoP proof JWT makes it too easy to just use that key to
validate the signature and miss checking the binding to the AT’s cnf/jkt
hash, which undermines the value of doing the binding in the first place.
As I see it, there are two options here and I'd like to gauge WG consensus
on which to move forward with.

   1. It’s fine as is (AS/RS symmetry is nice, it's the same way
   confirmation works in MTLS/TB, and the binding check is kinda fundamental
   to the whole thing so it's not unreasonable to expect implementers to do it)
   2. For resource access, put the full JWK in the AT’s confirmation and
   omit it from the proof (less error prone, no hash function needed for
   confirmation, somewhat less data overall between the two artifacts)



[image: Slide18.jpg]

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._