Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 22 November 2019 12:17 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 720EA12084D for <oauth@ietfa.amsl.com>; Fri, 22 Nov 2019 04:17:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIgmMgZEh1h0 for <oauth@ietfa.amsl.com>; Fri, 22 Nov 2019 04:16:58 -0800 (PST)
Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F05DD120832 for <oauth@ietf.org>; Fri, 22 Nov 2019 04:16:57 -0800 (PST)
Received: by mail-pl1-x62c.google.com with SMTP id o9so3051375plk.6 for <oauth@ietf.org>; Fri, 22 Nov 2019 04:16:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nekcKt/AtnoM1glAZw5Vgv7uiD+xeuCOZHc3v6K6gr0=; b=2z4xSp20Ll7wGDhcaV2S7J6C7KOV8LI+SWpCQPxaToGxk9193xq8H7r9ybr8Q2nN/Y YapSEvC8WSWFBZ2g8tjWvmd35/cEkjS/G2jGGlAYJ0XptbPZLFENaM1gtB+dRB6sUqlg +W0iMhj/iQjj5ubxLeQFPP8990Av6ufYL3av4/jKVdzfVtLocE6B8M7UcMvE0sReJ5Vm 97OCYN8xjdj9WNvEITKrtdcQpq/Xfefq2/7PhkMr5P7SGCBcHw4K2XQGRiWq9uDwULqA Mn3NEZhMMheRa/RxQBUIx4HyI9aJfI0in1CQ55G58HuVz3rfUmvbiivWTjGKVhExABIh r70w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nekcKt/AtnoM1glAZw5Vgv7uiD+xeuCOZHc3v6K6gr0=; b=s97FWYRG+VRxipoTJ41CaE4zaqEZMt6VFj0JlZupvny1EnvmDAaqjgAU0uZfCxQslD 8TWIYzlSiUhyc47CPUKaJ0mh2tRlIh6kOHUbHCP9Bz8zyUAOFx4CC/3MWb82hji1eKZF nSbPCbx5nkgN06Ol4mlBlDQ/mdTTu+pGDhESxHhxo6Fx7NkLADKnf7acDEmdLpUQInjb NDLbDJZ49tQdIeIV2v2QMz4frV2I7R280PveFmr/3FQfo2xjhAqSfMGEUQavtG/tvMmI u4PoV/zi0LmuJgosbyYdAjUzmevZZHqixtmhAVTTwKeX+iyut/G/tW3h3yvBI9gEbzVx 89YA==
X-Gm-Message-State: APjAAAWBPRRxjzDwgKh9RSNF9qrQyYDv+U094XpeEmW36uNqLPsKvWgG M8NiuUFYTYSbPkKOcBlIBQgYcIEuUYrZohbY
X-Google-Smtp-Source: APXvYqyhxEIi0dicrgp71OYP/pf9QC2C7eu0Ak4e3nI+LnUTaU8YllXHkBR2NisxsQNzMqrIRWq9qQ==
X-Received: by 2002:a17:902:758d:: with SMTP id j13mr14436953pll.55.1574425017311; Fri, 22 Nov 2019 04:16:57 -0800 (PST)
Received: from [10.84.13.52] ([103.137.210.94]) by smtp.gmail.com with ESMTPSA id i13sm7029705pfo.39.2019.11.22.04.16.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 04:16:56 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <47A8F67C-4F4F-4E1A-B087-8A468F0AD99D@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_10CDEE9F-4BAA-40DA-B4D7-DE0BCDFB5A05"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Fri, 22 Nov 2019 20:16:51 +0800
In-Reply-To: <HE1PR05MB47138B16B12E3EEAF8B9B9CDFA490@HE1PR05MB4713.eurprd05.prod.outlook.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>, Rob Otto <robotto@pingidentity.com>
To: Petteri Stenius <Petteri.Stenius@ubisecure.com>
References: <2EF412B8-AF8C-4642-9BE0-1B528B0C63D5@amazon.com> <288343F2-ACF0-43E0-8577-26AF45330E5C@forgerock.com> <CAD9ie-u_SM+1hRuBWR7zBGSi4Ex59Ht0SzoVTeFuWTRc3cFJXw@mail.gmail.com> <6DECA422-AACC-4DAA-8CD2-FF57CE02DE3E@mit.edu> <CABh6VRHoBqbQAe4U8UxXodCc8oOpOb=GRb_82gT6X9H5rp0n8Q@mail.gmail.com> <1119B3F6-01A0-4885-A352-5C719A7CDE2C@lodderstedt.net> <CABh6VRG7nZ0JhX8u8OM6cxR_2m6ZebbkCDPd_OzRHvBv2EQtkA@mail.gmail.com> <7590824B-18B6-4896-AD30-1903A86F5F0A@lodderstedt.net> <BYAPR00MB05674C455BCBA825BA6C906DF5490@BYAPR00MB0567.namprd00.prod.outlook.com> <1F50E494-5AA7-4739-BC17-9DC08FC0A254@lodderstedt.net> <HE1PR05MB47138B16B12E3EEAF8B9B9CDFA490@HE1PR05MB4713.eurprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eMFht1onFCOBTbPpjjoEl53N_xk>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 12:17:00 -0000

I would love see this happen!
Note: you would also need to create a cert.

> On 22. Nov 2019, at 19:38, Petteri Stenius <Petteri.Stenius@ubisecure.com> wrote:
> 
> Hi all,
> 
> For browser based apps it is basically limitations of Fetch API that prevent MTLS binding, as Fetch uses client certificate dialogs and stores. Does it make sense to suggest browser vendors fix the Fetch API to better support MTLS?
> 
> For example if Fetch API allowed setting up a MTLS request with a WebCrypto generated and managed key it would be sufficient for MTLS binding. 
> 
> Petteri
> 
> Fetch API - https://fetch.spec.whatwg.org/ 
> 
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt
> Sent: perjantai 22. marraskuuta 2019 10.54
> To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
> Cc: oauth <oauth@ietf.org>; Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>; Rob Otto <robotto=40pingidentity.com@dmarc.ietf.org>
> Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
> 
> I couldn't agree more. I think we should, again, try to find a way to utilise TLS in the browser as well. 
> 
>> On 22. Nov 2019, at 16:50, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>> 
>> I hear you about the difference between Web apps and native apps, Torsten.  But using different mechanisms for different application types is a cost in and of itself.
>> 
>> It's good to understand the tradeoffs.
>> 
>> -- Mike
>> 
>> 
>> From: OAuth <oauth-bounces@ietf.org> on behalf of Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
>> Sent: Friday, November 22, 2019 4:20:58 PM
>> To: Rob Otto <robotto=40pingidentity.com@dmarc.ietf.org>
>> Cc: oauth <oauth@ietf.org>
>> Subject: [EXTERNAL] Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
>> 
>> Hi Rob,
>> 
>>> On 22. Nov 2019, at 16:10, Rob Otto <robotto=40pingidentity.com@dmarc.ietf.org> wrote:
>>> 
>>> Hi Torsten - thanks for the reply..
>>> 
>>> Responses in line.
>>> 
>>> Grüsse
>>> Rob
>>> 
>>> On Fri, 22 Nov 2019 at 07:59, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>> Hi Rob, 
>>> 
>>>> On 22. Nov 2019, at 15:52, Rob Otto <robotto=40pingidentity.com@dmarc..ietf.org> wrote:
>>>> 
>>>> Hi everyone
>>>> 
>>>> I'd agree with this. I'm looking at DPOP as an alternative and ultimately simpler way to accomplish what we can already do with MTLS-bound Access Tokens, for use cases such as the ones we address in Open Banking; these are API transactions that demand a high level of assurance and as such we absolutely must have a mechanism to constrain those tokens to the intended bearer. Requiring MTLS across the ecosystem, however, adds significant overhead in terms of infrastructural complexity and is always going to limit the extent to which such a model can scale.
>>> 
>>> I would like to unterstand why mTLS adds “significant overhead in terms of infrastructural complexity”. Can you please dig into details?
>>> 
>>> I guess it's mostly that every RS-endpoint (or what sits in front of it) has to have a mechanism for accepting/terminating mTLS, managing roots of trust, validating/OCSP, etc
>> 
>> You use a PKI then. We use mTLS with self-signed certs. That requires the RS to not check the X.509 trust chain, which requires a special setting (optionalNoCA). 
>> 
>>> and then passing the certificates downstream as headers. None of it is necessarily difficult or impossible to do in isolation, but I meet many many people every week who simply don't know how to do any of this stuff. And these are typically "network people", for want of a better word. There are quite a few SaaS API management and edge solutions out there that don't even support mTLS at all. You also have the difficulty in handling a combination of MTLS and non-MTLS traffic to the same endpoints.
>> 
>> yep. You better split them, especially if that’s a user facing endpoint.
>> 
>>> Again, it's possible to do, but far from straightforward. 
>>> 
>>> 
>>> 
>>> Our experience so far: It can be a headache to set up in a microservice architecture with TLS terminating proxies but once it runs it’s ok. On the other side, it’s easy to use for client developers and it combines client authentication and sender constraining nicely.  
>>> 
>>> I do think its an elegant solution, don't get me wrong. It's just that there are plenty of moving parts that you need to get right and that can be a challenge, particularly in large, complex environments. 
>> 
>> I agree. I also tend there is a tendency to think Client TLS authentication is bad. I understand that from historical and recent experience with PKI. 
>> 
>> But anybody considering to use a application level signing solution based on _raw_ public keys should directly move towards self-signed certificates. That brings you all the benefits of TLS without the (PKI) headache. 
>> 
>>> 
>>> 
>>> 
>>>> 
>>>> DPOP, to me, appears to be a rather more elegant way of solving the same problem, with the benefit of significantly reducing the complexity of (and dependency on) the transport layer. I would not argue, however, that it is meant to be a solution intended for ubiquitous adoption across all OAuth-protected API traffic. Clients still need to manage private keys under this model and my experience is that there is typically a steep learning curve for developers to negotiate any time you introduce a requirement to hold and use keys within  an application. 
>>> 
>>> My experience is most developer don’t even get the URL right (in the signature and the value used on the receiving end). So the total cost of ownership is increased by numerous support inquiries.
>>> I'll not comment, at the risk of offending developers :)  
>> 
>> Alright. Ultimately, I just want to get in touch with those who respond :-)
>> 
>> best regards,
>> Torsten. 
>> 
>>> 
>>> best regards,
>>> Torsten. 
>>> 
>>>> 
>>>> I guess I'm with Justin - let's look at DPOP as an alternative to MTLS-bound tokens for high-assurance use cases, at least initially, without trying to make it solve every problem. 
>>>> 
>>>> Best regards
>>>> Rob
>>>> 
>>>> 
>>>> On Fri, 22 Nov 2019 at 07:24, Justin Richer <jricher@mit.edu> wrote:
>>>> I’m going to +1 Dick and Annabelle’s question about the scope here. That was the one major thing that struck me during the DPoP discussions in Singapore yesterday: we don’t seem to agree on what DPoP is for. Some (including the authors, it seems) see it as a quick point-solution to a specific use case. Others see it as a general PoP mechanism. 
>>>> 
>>>> If it’s the former, then it should be explicitly tied to one specific set of things. If it’s the latter, then it needs to be expanded. 
>>>> 
>>>> I’ll repeat what I said at the mic line: My take is that we should explicitly narrow down DPoP so that it does exactly one thing and solves one narrow use case. And for a general solution? Let’s move that discussion into the next major revision of the protocol where we’ll have a bit more running room to figure things out..
>>>> 
>>>> — Justin
>>>> 
>>>>> On Nov 22, 2019, at 3:13 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> On Fri, Nov 22, 2019 at 3:08 PM Neil Madden <neil.madden@forgerock.com> wrote:
>>>>> On 22 Nov 2019, at 01:42, Richard Backman, Annabelle <richanna@amazon.com> wrote:
>>>>>> There are key distribution challenges with that if you are doing validation at the RS, but validation at the RS using either approach means you’ve lost protection against replay by the RS. This brings us back to a core question: what threats are in scope for DPoP, and in what contexts?
>>>>> 
>>>>> Agreed, but validation at the RS is premature optimisation in many cases. And if you do need protection against that the client can even append a confirmation key as a caveat and retrospectively upgrade a bearer token to a pop token. They can even do transfer of ownership by creating copies of the original token bound to other certificates/public keys. 
>>>>> 
>>>>> While validation at the RS may be an optimization in many cases, it is still a requirement for deployments.
>>>>> 
>>>>> I echo Annabelle's last question: what threats are in scope (and out of scope) for DPoP?
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7CMichael.Jones%40microsoft.com%7C2ddae7c4050348d9405a08d76f24f315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637100076834776598&amp;sdata=6x%2Fjtuo2qkObT8bAdMUmkHbvOYr8wZX7pngViwA4e0Q%3D&amp;reserved=0
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7CMichael.Jones%40microsoft.com%7C2ddae7c4050348d9405a08d76f24f315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637100076834776598&amp;sdata=6x%2Fjtuo2qkObT8bAdMUmkHbvOYr8wZX7pngViwA4e0Q%3D&amp;reserved=0
>>>> 
>>>> 
>>>> -- 
>>>> 
>>>> Rob Otto      
>>>> EMEA Field CTO/Solutions Architect    
>>>> robertotto@pingidentity.com   
>>>> 
>>>> c: +44 (0) 777 135 6092
>>>> Connect with us:                                                                                                                                                              
>>>> 
>>>> 
>>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7CMichael.Jones%40microsoft.com%7C2ddae7c4050348d9405a08d76f24f315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637100076834776598&amp;sdata=6x%2Fjtuo2qkObT8bAdMUmkHbvOYr8wZX7pngViwA4e0Q%3D&amp;reserved=0
>>> 
>>> 
>>> 
>>> -- 
>>> 
>>> Rob Otto      
>>> EMEA Field CTO/Solutions Architect    
>>> robertotto@pingidentity.com   
>>> 
>>> c: +44 (0) 777 135 6092
>>> Connect with us:                                                                                                                                                       
>>> 
>>> 
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>