Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Mike Jones <> Fri, 22 November 2019 08:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 776BE120033 for <>; Fri, 22 Nov 2019 00:00:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id w3YqCjqDDjAo for <>; Fri, 22 Nov 2019 00:00:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DBEA12000F for <>; Fri, 22 Nov 2019 00:00:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=HZMKhGVYX5DiVdrHpZQ516EkGRGEVBbynns/ZOo/YqsCyPHcPZAuD5KVclTGKQmmYYYmSAaZZuJtPOpJL8BWrc/hCvWFbaOJLEKXdD2uRpaoV3ypqi91vwJjDWIMZu2vuI5T2lF7TK8EjHfs96pOCD+/Tsqxc5jWaUlkM/ZPDFF2jv78Hx0PXD6SzkzI5vEyaRzDwhb2FzVC853IXnb6BIWnlznakt551cdeqAv89CjUYOJBrJ4Hzraauea+L+Db4meYelJJle2EOCizcKK3IaZQ0PSfhqhdKnvKzc1n9m02av5fKKto3Mlpd2e41XbHOCR+rU935HR8IzvIw6YlUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tS3j/XgwyllbN/oT+DnPCb0SjAid9bOqIMmsYUjRcw8=; b=PUTqURDtMIeD/S6XkmoOKjGD/HZSBW/t+cPO7BJv0YkvsDOQ0aA7/hicSNPv/F04YXEGBM0ooPwgYlg2bMUsoRCA5jxzgd8Q4+0SgNgbn4HpbmktKKyl5M3gD+FjOj2rMci9ceg8831Nell5fAuGxuYv5HwayYj0mhOX6Cln6azIO1UDMSbf7R+lsHqK4aztLMd1vxAPBz9Dy8mxMYVaDllNy921XW4N1BlpBP8NUAF+ukgpUfEq7bfl6i691+jgI5uVj8rOK8ncZmIQLkqzDoJUgfnnaDCaftFW2QrMCsZ09Yc2UgbpdhD61wUwNgkTCXHy65VU/zROdEXqAybJ9g==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tS3j/XgwyllbN/oT+DnPCb0SjAid9bOqIMmsYUjRcw8=; b=W4ErAYR7EcJokEZu2636a1/snBmLKGcBKqtYnal6GS2xe69mguvJN3dQPC/OCwE78kiDeR3Kn3Jj5VITWz2cI8CtoJHaxZQyseTpKSN8Z5GVwlB7ic3K7+ueXVQGzQy+UL0pUxB8nlz/pwD0bbnjBiMg6bqBVMoWsuEGcTpFPbw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2518.0; Fri, 22 Nov 2019 08:00:19 +0000
Received: from ([fe80::501c:9720:3c93:15f2]) by ([fe80::501c:9720:3c93:15f2%3]) with mapi id 15.20.2511.000; Fri, 22 Nov 2019 08:00:19 +0000
From: Mike Jones <>
To: Torsten Lodderstedt <>, Justin Richer <>
CC: oauth <>
Thread-Topic: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
Thread-Index: AdWhCuA0RlhHUexKRuKkSyIMvu0qlg==
Date: Fri, 22 Nov 2019 08:00:17 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=82129f54-8fd9-4701-9b9d-0000688df064; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-22T07:55:14Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 1447e0fa-0766-4ac5-ccd8-08d76f220479
x-ms-traffictypediagnostic: BYAPR00MB0614:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 02296943FF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(396003)(39860400002)(376002)(346002)(136003)(13464003)(189003)(199004)(86362001)(256004)(110136005)(14444005)(6306002)(6436002)(9686003)(55016002)(6246003)(2171002)(229853002)(6116002)(66574012)(4326008)(71190400001)(71200400001)(2906002)(186003)(26005)(3846002)(52536014)(15650500001)(10090500001)(8936002)(66476007)(66556008)(64756008)(66446008)(81156014)(81166006)(66946007)(8990500004)(316002)(8676002)(25786009)(99286004)(22452003)(6506007)(53546011)(102836004)(76116006)(14454004)(305945005)(7696005)(66066001)(478600001)(10290500003)(966005)(7736002)(5660300002)(74316002)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR00MB0614;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SkwVAm3ImjCTd5OKsIpP8DeHTa1qEaEQ9admHvYfEMoLXneFXczcF/tBZCqTtYC7lkYDxwHURJg+jwSMSAhiLFmQW01KmYPSZ8MepRg+RC4jXkHZW+7T+FeppUvY58B1aaUkDdcJ0q0DY2Vy71sjGOwah/o9eSd7j+PNecdyTCg1Ojp8FcMFEtw6tIvtKs1ktvHmjUQKeJvocP0INShLeOyLiAFSoh7g0MmxtiTedlvZA6iSG/Rdd8EpyrXzEUQbp8AAa5HRI0QmSnuljOsjXjKs4VfCizRaeUhOAoBWjWlD88sRAMSUzy+2FCVW4s5ifYmWN6vQlwNV/x46u9OkMr0u9ZHSJV8Pw2AflJ2DKQbedOkbcBFFvGjQgDQed9hjGrxh3BHOWtjeXGn9+Xpp2YKKs9++KEPVUV4PQpHhJKr0a13Coeqixg1AZdO7IK6SdxEf8WUoN62C+EvOJvo0kJL7p0j0+hD8hWsvIbB8yqw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1447e0fa-0766-4ac5-ccd8-08d76f220479
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Nov 2019 08:00:18.0253 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Yo+tgRsYO7s043eRFaAL95uswnOqAE1JdwxUoV0/D235OQ2gsX+Gein+Z6ATkuA/qakRYEhvZ+5ByS3nMK7QxQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0614
Archived-At: <>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Nov 2019 08:00:25 -0000

TLS on Web Servers is nearly ubiquitous now and works great.  Trying to use mutual TLS on many platforms results in a nearly intractable user experience, where the end-users are asked to install certificates into certificate stores.  Success rates for those UXs are very low.

And it's even worse than that.  If you use multiple browsers, you'll have to get the person to install the client certificates into multiple certificate stores.  For instance, on Windows, Edge, Firefox, and Chrome all use different certificate stores.

Server-side TLS works because end-users don't have to do anything difficult to use it.  That can't be said for client-side TLS.

				-- Mike

-----Original Message-----
From: OAuth <> On Behalf Of Torsten Lodderstedt
Sent: Thursday, November 21, 2019 11:54 PM
To: Justin Richer <>
Cc: oauth <>
Subject: [EXTERNAL] Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

> On 22. Nov 2019, at 15:24, Justin Richer <> wrote:
> I’m going to +1 Dick and Annabelle’s question about the scope here. That was the one major thing that struck me during the DPoP discussions in Singapore yesterday: we don’t seem to agree on what DPoP is for. Some (including the authors, it seems) see it as a quick point-solution to a specific use case. Others see it as a general PoP mechanism. 
> If it’s the former, then it should be explicitly tied to one specific set of things. If it’s the latter, then it needs to be expanded. 

as a co-author of the DPoP draft I state again what I said yesterday: DPoP is a mechanism for sender-constraining access tokens sent from SPAs only. The threat to be prevented is token replay.

The general mechanism for sender constrained access token should be TLS-based as recommended by the Security BCP (see;;sdata=tvqS9JnASGHWeVZnxm0x6Rr7sSCaMX5Hd7ImpyoN%2BqE%3D&amp;reserved=0).

Why: that’s the easiest way from a client developer's perspective. 

Application level signatures, on the other hand, are inherently more fragile as illustrated by the OAuth 1 experience. They also require additional effort (and state) on the server side to implement replay detection. 

As kind of an entertaining read I added two posts/threads from 2010, when this WG discussed whether TLS/SSL should be the primary OAuth 2.0 security mechanism.;;sdata=EYJcPaUIPorvsaZtHTcRhztyoc7aT5HvoISpCe%2FJi2w%3D&amp;reserved=0;;sdata=EaoRe%2BF2guKYB%2B9exMnl3oeyAEmS3%2FvQXV2BcXgYyOg%3D&amp;reserved=0

The decision to go with TLS only was, in my opinion, one of the key success factors that made OAuth 2 so incredibly successful.

To re-state: From my perspective, DPoP is intended to be used by SPA developers only for token replay detection (or better put to provide RSs with the pre-requisites to do so).  

Why? Because we unfortunately currently lack a TLS-based mechanism for sender-constraining.

Building it on asymmetrical crypto only makes it easier to implement and to handle than methods based on shared secrets.

I also think we must look for alternative methods to enable TLS-based methods in the browser. 

> I’ll repeat what I said at the mic line: My take is that we should explicitly narrow down DPoP so that it does exactly one thing and solves one narrow use case. And for a general solution? Let’s move that discussion into the next major revision of the protocol where we’ll have a bit more running room to figure things out.
>  — Justin
>> On Nov 22, 2019, at 3:13 PM, Dick Hardt <> wrote:
>> On Fri, Nov 22, 2019 at 3:08 PM Neil Madden <> wrote:
>> On 22 Nov 2019, at 01:42, Richard Backman, Annabelle <> wrote:
>>> There are key distribution challenges with that if you are doing validation at the RS, but validation at the RS using either approach means you’ve lost protection against replay by the RS. This brings us back to a core question: what threats are in scope for DPoP, and in what contexts?
>> Agreed, but validation at the RS is premature optimisation in many cases. And if you do need protection against that the client can even append a confirmation key as a caveat and retrospectively upgrade a bearer token to a pop token. They can even do transfer of ownership by creating copies of the original token bound to other certificates/public keys. 
>> While validation at the RS may be an optimization in many cases, it is still a requirement for deployments.
>> I echo Annabelle's last question: what threats are in scope (and out of scope) for DPoP?
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list