[OAUTH-WG] DPoP followup II: confirmation style
Brian Campbell <bcampbell@pingidentity.com> Wed, 02 December 2020 22:29 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C313A159C for <oauth@ietfa.amsl.com>; Wed, 2 Dec 2020 14:29:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.693
X-Spam-Level:
X-Spam-Status: No, score=-0.693 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn_25fgA55Y9 for <oauth@ietfa.amsl.com>; Wed, 2 Dec 2020 14:29:08 -0800 (PST)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1D083A158F for <oauth@ietf.org>; Wed, 2 Dec 2020 14:29:07 -0800 (PST)
Received: by mail-lf1-x135.google.com with SMTP id l11so7311007lfg.0 for <oauth@ietf.org>; Wed, 02 Dec 2020 14:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=7BA4fB7ulUvaTKhtL72IoZHcfjfbNRijUeehwzWPsVk=; b=YJGEn2N3I4Ckm99CtFSXpYDAuJSOlnMD8zNv8N26gSN4HvvERttDvOOZjf9qDegTFh xGrdQKeAPLA0yssqtpfgElOnN97AJt1oIT0auu22s7QUOTTdkyIU7746Tc7HuaqK9yh9 xlwfTgnXsCq5btGTY2SEoC24g5ypaRfozRRU6uEJAqz9qjtKP1BPDUI4AcKLUdbTdZhv 55V4r8GCSJl7rCXZxGf+W58bfghj0w73koqhK0Ix9E6+ULbtPLCb87Bcr/2OumCWrPM9 vvUe2hn0p5hSmUV3oOm/AOQVTS2I0X4fnqgQ7+PjAaCoOD/EVJobEO4RCU6a2JZ+1cIo urAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7BA4fB7ulUvaTKhtL72IoZHcfjfbNRijUeehwzWPsVk=; b=qCf2ZcsoCG26JD3pOLE0BjwauyruPx5W2bQ91BdlyeF96MT7Ua2v3o8frvuMpd4pf2 KOtFg3c+an4tvOGGY+CzmolAMQVD22UEHYMCulzVxXvtdYXRCJ2O7J3RUEd2MJpRxnzw PwBsHk53oeHa9P5QEXeuBEzTZqyDgX/tqxWuUyMI/vol0MCftK7uw5Myg8AJH9ZkxPM4 +HvKVHAaYqjJv7ql8/EBlDqTAgqLSSLURG28CzIMU+46g3oLyMsSXhKrtIOgzDlb85rj ZUxwi97z4wANxcGwJ5XG0nA3Rb+TfLIFHFLljzsJloMNG8P04ttIHbaFbo8A/v0Ore1I fKuQ==
X-Gm-Message-State: AOAM533947VAbA66Xyth1VdaddASmi3mq9Y4yt8XOnxy1ax+vDXUmBwx rl9sOpCNph8qEQLzuu6d4/9phzp551XiTwy7Wdv7L1X1qUoMsYM+1JSmOpKqRzOXv0pC8D4ICIK gFm0NBoas/LS3tw5R4Hvn7Q==
X-Google-Smtp-Source: ABdhPJyT+UDNCEpr7RL7VB7HPHVGACPfAOsbJEqTG++m6GclcK5gIIaiCHa3xMDyRe0DIVm9od+J86+Wj3anlYlQoUQ=
X-Received: by 2002:a19:5215:: with SMTP id m21mr91648lfb.407.1606948143427; Wed, 02 Dec 2020 14:29:03 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 02 Dec 2020 15:28:37 -0700
Message-ID: <CA+k3eCTtE_S5J77R-XkYdWqe0rn_55jT5b=w9MiT+LXJ7OAvUQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="000000000000433d7005b582c50b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/czEMDA9zByycJrkP2vKtISc5wrI>
Subject: [OAUTH-WG] DPoP followup II: confirmation style
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 22:29:10 -0000
There were a few items discussed somewhat during the recent interim <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth> that I committed to bringing back to the list. The slide below (also available with some typos and omitted words as slide #18 from the interim presentation <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>) is the second one. To summarize (by basically repeating the content of the slide): It’s been suggested that, for resource access, having the JWK in the header of the DPoP proof JWT makes it too easy to just use that key to validate the signature and miss checking the binding to the AT’s cnf/jkt hash, which undermines the value of doing the binding in the first place. As I see it, there are two options here and I'd like to gauge WG consensus on which to move forward with. 1. It’s fine as is (AS/RS symmetry is nice, it's the same way confirmation works in MTLS/TB, and the binding check is kinda fundamental to the whole thing so it's not unreasonable to expect implementers to do it) 2. For resource access, put the full JWK in the AT’s confirmation and omit it from the proof (less error prone, no hash function needed for confirmation, somewhat less data overall between the two artifacts) [image: Slide18.jpg] -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] DPoP followup II: confirmation style Brian Campbell
- Re: [OAUTH-WG] DPoP followup II: confirmation sty… Filip Skokan
- Re: [OAUTH-WG] DPoP followup II: confirmation sty… Neil Madden
- Re: [OAUTH-WG] DPoP followup II: confirmation sty… toshio9.ito
- Re: [OAUTH-WG] DPoP followup II: confirmation sty… Brian Campbell