IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07

Benjamin Kaduk <kaduk@mit.edu> Thu, 12 April 2018 13:26 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64BCE127275 for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2018 06:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohImgFggpbEJ for <oauth@ietfa.amsl.com>; Thu, 12 Apr 2018 06:26:20 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81C41127136 for <oauth@ietf.org>; Thu, 12 Apr 2018 06:26:20 -0700 (PDT)
X-AuditID: 12074425-0f9ff70000000a54-d5-5acf5e78396f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 17.84.02644.97E5FCA5; Thu, 12 Apr 2018 09:26:18 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w3CDQBMw013411; Thu, 12 Apr 2018 09:26:13 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w3CDQ7E2023640 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Apr 2018 09:26:10 -0400
Date: Thu, 12 Apr 2018 08:26:08 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
Message-ID: <20180412132607.GF97291@kduck.kaduk.org>
References: <CAGL6epK7X-jbO0c8GTxm2cAesYwU19R5_GsFY4tpUYxjW-MF_w@mail.gmail.com> <4D385B9E-AA8F-45B3-8C1D-C7B346FFA649@forgerock.com> <CA+k3eCRRUN0_+dVrRabjCrseV0C15wvKmY3jJQ4-eQqhZ2NUQQ@mail.gmail.com> <5758ae34-1d2d-4946-9190-7a2e2bc184d2@Canary>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN"
Content-Disposition: inline
In-Reply-To: <5758ae34-1d2d-4946-9190-7a2e2bc184d2@Canary>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRmVeSWpSXmKPExsUixG6nrlsVdz7K4NBbFYvV/28yWsyZ94vN 4uTbV2wOzB432hYweixZ8pPJ4+7RiywBzFFcNimpOZllqUX6dglcGSsOLWQv+Cxccfv2J7YG xlbBLkZODgkBE4nX144wdjFycQgJLGaSuLnmEguEs5FRom/5NmYI5yqTxPVzt5hAWlgEVCWO dDayg9hsAioSDd2XmUFsEQFtiRWLFzCC2MwC7hJ/X74As4UFLCROPfoB1MvBwQu0bmFDIcTM f4wSc9v6WUFqeAUEJU7OfMICUsMsUCYxfbcChCktsfwfB0gFp4CVxO3uyywgtqiAssTevkPs ExgFZiFpnoXQPAuheRbYOVoSN/69ZMIQ1pZYtvA1M4RtK7Fu3XuWBYzsqxhlU3KrdHMTM3OK U5N1i5MT8/JSi3Qt9HIzS/RSU0o3MYKjwkV1B+Ocv16HGAU4GJV4eDeYnosSYk0sK67MPcQo ycGkJMq7MeZ8lBBfUn5KZUZicUZ8UWlOavEhRhWgXY82rL7AKMWSl5+XqiTCO8cOqI43JbGy KrUoH6ZMmoNFSZx38f69UUIC6YklqdmpqQWpRTBZGQ4OJQle9ligRsGi1PTUirTMnBKENBMH 5yFGCQ4eoOHLQY7gLS5IzC3OTIfIn2JUlBLnZQRpFgBJZJTmwfWCkplE9v6aV4ziQG8J8xqC VPEAEyFc9yugwUxAg4/5nAEZXJKIkJJqYHS6fib8b3EmT7SEG3ffqWfhj94kup+72jjnygyT jIrW87lSoqbHWNQOvt0guH0f45Zw3Q9bJP3XMfHrL9u02dnisrBqZLhjjOwaln2SRXlnHEQy L6Rfq9JX7BHa+4jdT2LzgddH4hbe0d4/Z+Kzz5umtE8OvZDLtOfP7oM/rgZdf17Mt12olU2J pTgj0VCLuag4EQDj7eL1QQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dzm4zrrF54OGQt-_dKxvR3IU6QQ>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-mtls-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 13:26:22 -0000

Just replying on one thing...

On Thu, Apr 12, 2018 at 10:03:11AM +0100, Neil Madden wrote:
> Hi Brian,
> 
> Thanks for the detailed responses. Comments in line below (marked with ***).
> 
> Neil
> 
> > On Wednesday, Apr 11, 2018 at 9:47 pm, Brian Campbell <bcampbell@pingidentity.com (mailto:bcampbell@pingidentity.com)> wrote:
> > On Thu, Mar 29, 2018 at 9:18 AM, Neil Madden <neil.madden@forgerock.com (mailto:neil.madden@forgerock.com)> wrote:
> > > 10. The PKI client authentication method (https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2.1) makes no mention at all of certificate revocation and how to handle checking for that (CRLs, OCSP - with stapling?). Neither does the Security Considerations. If this is a detail to be agreed between then AS and the CA (or just left up to the AS TLS stack) then that should perhaps be made explicit. Again, there are privacy considerations with some of these mechanisms, as OCSP requests are typically sent in the clear (plain HTTP) and so allow an observer to see which clients are connecting to which AS.
> >
> > I didn't think that a TLS client could do OCSP stapling?
> >
> > *** I think you are right about this. I always assumed it was symmetric (and I think it technically could work), but the spec only talks about stapling in the server-side of the handshake.

This changed between TLS 1.2 and TLS 1.3 -- in 1.3, the server can
include "status_request" in its CertificateRequest, and the
extensions block in the client's Certificate message can include the
OCSP staple.

-Ben

v2.14.0 | Report a Bug | By Email