Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
Hans Zandbelt <hans.zandbelt@zmartzone.eu> Wed, 30 October 2019 00:52 UTC
Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE080120052 for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 17:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9s0OyMMPOMs for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 17:52:42 -0700 (PDT)
Received: from mail-qt1-x843.google.com (mail-qt1-x843.google.com [IPv6:2607:f8b0:4864:20::843]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70F7B12009E for <oauth@ietf.org>; Tue, 29 Oct 2019 17:52:42 -0700 (PDT)
Received: by mail-qt1-x843.google.com with SMTP id l3so928361qtp.2 for <oauth@ietf.org>; Tue, 29 Oct 2019 17:52:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PP2XVRVhxjMxJUVeGmFg6P5VZyGo8bXWjGu6Bixt9Lc=; b=jdRcycxIUGQZDXBsH2Pi9fNt4JbMkRTuogeKCJqtp6eSlmBazSy39NCDBYNbjOQO/K s5XlDVm940fH5spPcPeH5oVcIC83ZO1MJCTRzoegN7dGXYIqcGPPzVf5j2x5P1F5yNPw HQ+YVKxFeFmZY67sAKVefaGI9yhadlcd4S5qBafHqMAr//GryIZd1vKl+g6toakhtCfa jmyMcwxYETkmkeuz99YnwjDrsraxQPaODsuyO7DxmANNZ4qXOUP374J0/rxWzLQ9uzeD g6D99uSLX0K9TtnK9uczHLyw+8Cvak/kaafKuz5xWmyr3abshIOMtFNMbkbetiCcFrVA iozg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PP2XVRVhxjMxJUVeGmFg6P5VZyGo8bXWjGu6Bixt9Lc=; b=hBXfPAHZY0E2enIwZ+jBIGKf2PJo5HqJG4omq1QYPSkFju1IwjGV2ffd/ISZGCAUgv 7cA1Mn7MkLYhco2QqA5SJ2DguJ5wIDkzHHJGT56JraPdxI+N4nJjzOdweFeRuu5uOfum O17daegSxXWwEslFS/eiSgjS3UGnDgpGEHmUm0IOwWMFs38RcTZh+sEfXx76RlJTnXvR sYWFonkObRyoouYDt/W9xvJLNxMjVAM9UdUTUUJcd9ROfxtjqyO+pg1YZ8NslVD0mOOp vxEZwA4LISbANuOK/K8dUWq8BGdwZQ1oieHbsVV57TK0XWyk1+YQLaQineW1ZYuKUed/ tUrQ==
X-Gm-Message-State: APjAAAUFFf6f2q+oMWULC0lCEMYCLMDSzo6f5Zupg8GQC6Rxfp/3uins r0nRxVoPkkzDnpyXnDFcQGV7rYzeg0sKj69Lq6uavw==
X-Google-Smtp-Source: APXvYqxs/l8ObXGAaK1ttNNp0WmKP9q35SgXc/TJcVf8PgMeh2POk/VcYjHn3QKL2DERNah4xLxmqugkWiTjOcaRT6o=
X-Received: by 2002:ac8:4149:: with SMTP id e9mr2258210qtm.321.1572396760359; Tue, 29 Oct 2019 17:52:40 -0700 (PDT)
MIME-Version: 1.0
References: <85D42AA1-FF57-4383-BACB-57C5AA32CFAC@lodderstedt.net> <CAEKOcs2gkM3Henz5nS04_EuBQXWWbJU5K02ErP0rnVZXmjxXJQ@mail.gmail.com> <20191021020546.GZ43312@kduck.mit.edu> <CA+k3eCS7pf3wXBkpbXE0AXKUGogo0YcHd8oWfiBfkPB5axGQQw@mail.gmail.com> <8A8B8892-9D16-4210-BC13-47B5D7859976@mit.edu> <20191024170326.GO69013@kduck.mit.edu> <CAGL6epJZtTXKSGFj0BfhF3kd_Z-z2xzOWXOPEKXc5m18Z4L1uA@mail.gmail.com> <CA+k3eCS8VuCfy4XeqYmLuuLK=rLvHsonSZj4i9O11U-mcua9Pg@mail.gmail.com> <CAGL6epKTV5hXqm2-qgUyG-iA90eLu49GjOKeyLcfsn2naTSV5w@mail.gmail.com> <CA+k3eCQ87n4m--nBc+PX7qE727fqA6vM=meEJZxwfnbpJ2dOsw@mail.gmail.com> <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com> <CA+k3eCQbku0V6z2wCM084FW342dY6=_H7mEv6U3sHCDgefkxXA@mail.gmail.com> <E03CD445-39E8-4262-97BE-E0EE11231A63@forgerock.com> <2B2ACEE8-7B48-4E2D-94DA-AF3DA86DE809@mit.edu> <CA+k3eCRmmZJQjk-WGmpYZeyTvQR0SttRUZeh7FDT-=ikzOUwAA@mail.gmail.com>
In-Reply-To: <CA+k3eCRmmZJQjk-WGmpYZeyTvQR0SttRUZeh7FDT-=ikzOUwAA@mail.gmail.com>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Wed, 30 Oct 2019 01:52:29 +0100
Message-ID: <CA+iA6uj64yxsvpeb=+9mLp0BnnfD1nTfFN2GzR+4aAK-06gcYA@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Justin Richer <jricher@mit.edu>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000058fc9505961626b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hUTTkqc_2F_hFqa7EGEBgmfLoJ8>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 00:52:45 -0000
+1 to Justin's and Brian's comments, I am interested to contribute and I will try and be there in person as well Hans. On Tue, Oct 29, 2019, 22:56 Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > +1 to pretty much everything Justin said there. > > With some facilitating assistance from Ben it looks like there's now an > agenda slot for this in the upcoming secdispatch meeting in Singapore. I'll > attempt to articulate the situation and see if there's interest in finding > a home for the perspective work. Folks that'll be in Singapore and > interested in the topic would be encouraged to attend to the secdispatch > meeting during the Afternoon Session III 1710-1840 on Tuesday. > > > On Tue, Oct 29, 2019 at 1:13 PM Justin Richer <jricher@mit.edu> wrote: > >> I would argue that making this standard would actually increase the >> likelihood of developers getting this right, as now instead of following >> some copy-pasted recipe for NGINX or Apache that they found on the web, >> they could turn on a standard setting that would take care of both >> stripping out incoming headers and injecting the appropriate values. And >> all of that can be covered in the security considerations with a bunch of >> normative text on top to make sure inbound headers are stripped. What >> you’re describing below is clever, but ultimately it’s just a small bit of >> obscurity more than anything real. >> >> The way things are today, you’ve got to not only pick a header and figure >> out its format, but also do the injection protection step yourself. Since >> all of these are disconnected, there are a lot more places that it could >> fall over. Even a typo where you throw out incoming “CLIENT_CERT” but >> inject “CLIENT_CERTS” or something like that would be disastrous. >> >> All in all, I am in favor of this being defined in one standard way, in >> addition to secure communication between proxies and backends being >> standardized — but this latter bit really seems like a separate problem. >> >> — Justin >> >> On Oct 28, 2019, at 12:32 PM, Neil Madden <neil.madden@forgerock.com> >> wrote: >> >> While there are some benefits to standardizing headers for this kind of >> communication, there are some significant downsides - particularly when >> using headers to communicate critical security information like certs. It >> is *very* easy to misconfigure a reverse proxy to not strip Forwarded (or >> whatever) headers from incoming requests, allowing a client to simply >> supply a certificate as a header without authenticating the TLS connection >> with the corresponding private key. One good practice to prevent this is to >> pick a random and unguessable header name (configurable per installation) >> to be used for communicating the certificate, rather than using something >> fixed and standard. That way even if you misconfigure the proxy an attacker >> still has to try and guess the correct header name. >> >> I suppose the same thing could be accomplished by having an extension for >> including a shared secret (or HMAC tag) in the header to authenticate it. >> >> -- Neil >> >> On 28 Oct 2019, at 15:32, Brian Campbell < >> bcampbell=40pingidentity.com@dmarc.ietf.org> wrote: >> >> I don't think there's anything beyond defining something to carry the >> client certificate information (including the format and encoding). And it >> could well be a new RFC7239 parameter. Or it might just be a new HTTP >> header on its own. >> >> On Mon, Oct 28, 2019 at 9:05 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> >> wrote: >> >>> Thanks Brian, >>> >>> I guess my question is: given RFC7239 and the fact that it is >>> straightforward to secure the channel between the terminating reverse proxy >>> and the backend service in a cluster, is there anything, from a standard >>> perspective, that we need to do beyond defining a new parameter to carry >>> the client certificate information? >>> You seem suggest that the answer is yes. If so, can you please elaborate >>> on why is that? >>> >>> Regards, >>> Rifaat >>> >>> >>> >>> On Mon, Oct 28, 2019 at 8:42 AM Brian Campbell < >>> bcampbell@pingidentity.com> wrote: >>> >>>> >>>> >>>> On Sat, Oct 26, 2019 at 3:55 PM Rifaat Shekh-Yusef < >>>> rifaat.ietf@gmail.com> wrote: >>>> >>>>> >>>>> On Fri, Oct 25, 2019 at 3:47 PM Brian Campbell < >>>>> bcampbell@pingidentity.com> wrote: >>>>> >>>>>> >>>>>> I did look at RFC7239 when doing that and it could have been made to >>>>>> work but felt the fit wasn't quite right and would have been more >>>>>> cumbersome to use than not. >>>>>> >>>>>> >>>>> Can you elaborate on this? >>>>> These days, with the zero trust model in mind, there are orchestration >>>>> tools, e.g. Istio, that easily allows you to establish an MTLS channel >>>>> between the reverse proxy/load balancer/API GW and the backend servers. >>>>> Why is that not sufficient? >>>>> Which part is cumbersome? >>>>> >>>> >>>> What I meant was only that in the course of writing >>>> https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-09, which aims to >>>> define HTTP header fields that enable a TLS terminating reverse proxy to >>>> convey information to a backend server about the validated Token Binding >>>> Message received from a client, it seemed more straightforward and >>>> sufficient for the use-case to use new HTTP headers to carry the >>>> information rather than to use new fields in the Forwarded header framework >>>> from RFC7239. >>>> >>>> >>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>> privileged material for the sole use of the intended recipient(s). Any >>>> review, use, distribution or disclosure by others is strictly prohibited. >>>> If you have received this communication in error, please notify the sender >>>> immediately by e-mail and delete the message and any file attachments from >>>> your computer. Thank you.* >>> >>> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited.. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-intro… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Vladimir Dzhuvinov
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Rifaat Shekh-Yusef
- [OAUTH-WG] client certs and TLS Terminating Rever… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Benjamin Kaduk
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Justin Richer
- Re: [OAUTH-WG] client certs and TLS Terminating R… Brian Campbell
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Justin Richer
- Re: [OAUTH-WG] client certs and TLS Terminating R… Torsten Lodderstedt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Torsten Lodderstedt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Jim Manico
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Torsten Lodderstedt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Richard Backman, Annabelle
- Re: [OAUTH-WG] client certs and TLS Terminating R… Salz, Rich
- Re: [OAUTH-WG] client certs and TLS Terminating R… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: client cer… Richard Backman, Annabelle
- Re: [OAUTH-WG] client certs and TLS Terminating R… Vladimir Dzhuvinov
- Re: [OAUTH-WG] client certs and TLS Terminating R… Richard Backman, Annabelle
- Re: [OAUTH-WG] client certs and TLS Terminating R… Hans Zandbelt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: client cer… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Travis Spencer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-i… Brian Campbell