IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Ash Narayanan <ashvinnarayanan@gmail.com> Fri, 08 October 2021 04:05 UTC

Return-Path: <ashvinnarayanan@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 552CF3A094D for <oauth@ietfa.amsl.com>; Thu, 7 Oct 2021 21:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v8GvWDtCh3uA for <oauth@ietfa.amsl.com>; Thu, 7 Oct 2021 21:05:47 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38A403A0944 for <oauth@ietf.org>; Thu, 7 Oct 2021 21:05:47 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id s24so12042104oij.8 for <oauth@ietf.org>; Thu, 07 Oct 2021 21:05:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rC0wwBJ+bvJbV45JzTn5c2bk4NCSCzoTmn0BkqKgG6M=; b=oC5xmuDdkxFY/gsTmFZorupEZ5z3YL6tQcJT2k551ZKigeJz0JzMshkL7razlpxqSQ qokbXzEa3N/r6gj607KTofFTspyZl7DMQXxf/b4SADdwv/XSIK5HHenJMYa6pQOWr6rL 05ASQPgDj6GTMZj9FSldlfrQCD8oCvI+h4WBWEWFwXO7+gjMuDWp0GTXL4j7W4UEC4Bc 3SgOpKTKqFxyGltJqUR0N5V6h8brPz7l/GCeOU3T6gXVM15eQGyqRDPLy7lHud6cNLUI 8YgaQ1R20ImbnsDhfmbjbrxts1pqAzy5WQD/hmmPyVnfpI9Zx76rlfrrclO3soNC7jxu kNYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rC0wwBJ+bvJbV45JzTn5c2bk4NCSCzoTmn0BkqKgG6M=; b=JaS/Z5xtnB/AmbMAR4pKGCfGUdq8aEqTMKyMxdoFyDmItrn20izWGBwZ1dWxzp4uji wa2wB65SaTsyt6XJlkNf7uQu+vAZeOzK6YgsKgNuEznqffirIFP29je7Dd0tBtyg5loq HcgTuwUIGdOh3X4zJ3vEn+EH2wY8v/zDp3juSWdty3GeaifJn3dR6kVDEWdBIvUywhWl aCBadjXFekQtDd/t864Pyjh6P51qMFj2Jdfx9ZeQmxefCa92XwGSLOLqBL/c/nZ4cSZR qgh8MPv7iBv4/6E7XXtlkNjo+KSJFCEgL+z0HKzDsiR1QbkUIxEAbEr3mCkN186L3z8P D0Lg==
X-Gm-Message-State: AOAM532EpPpGHe0kcmMu0RZP/D9MQXZ+o73LJSVyKFHln40BvzVEgRcK 5U7q1jUUdEgCoh+3o2t6qlYZF8Lg7AA5/UExG2A=
X-Google-Smtp-Source: ABdhPJxN8pm7pgBmN+fDfljBf1PZkT1mLJxZKVEr+bCMjvOH94NNYlyrfoT3coUmymSZ0z7qqp1XPddTog2bFQ0SELg=
X-Received: by 2002:a54:4f0d:: with SMTP id e13mr6320168oiy.110.1633665944909; Thu, 07 Oct 2021 21:05:44 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QXCEjJmkhBvTHn68kDcJ2Mfg-tSQx1-hvfPoOTXCKzA@mail.gmail.com> <59DBD0A1-7C36-47D1-9F4C-AFE5EA8458E1@forgerock.com>
In-Reply-To: <59DBD0A1-7C36-47D1-9F4C-AFE5EA8458E1@forgerock.com>
From: Ash Narayanan <ashvinnarayanan@gmail.com>
Date: Fri, 08 Oct 2021 15:05:33 +1100
Message-ID: <CAFvbn=ZRCGoLtZ1DidZa0KYR0-zMTVSfCQEJ+7YyScYXUf84Fw@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>, Warren Parad <wparad@rhosys.ch>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000053fa5a05cdcf7e43"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hg5M0luZZF4dqOqSBo2fIyWby7k>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 04:05:52 -0000

Oh geez, yesterday was my day off but ended up down a deep rabbit hole
after reading this draft and the ones that came before it.

I do not support adoption and was going to list my reasons but Warren Parad
beat me to it.

In addition to the list he has provided, I'd also like to see the draft
make a mention of public clients; obviously we can't use any sensitive keys
with these.


Regards,
Ash

On Thu, Oct 7, 2021 at 11:02 PM Neil Madden <neil.madden@forgerock.com>
wrote:

> Canonicalised signature schemes inevitably lead to cryptographic doom, and
> should die with SAML (ha!). For that reason I do not support adoption of
> this draft.
>
> I also think the arguments for canonicalisation vanish as soon as you want
> end-to-end confidentiality too.
>
> — Neil
>
> On 6 Oct 2021, at 22:02, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
> wrote:
>
> 
> All,
>
> As a followup on the interim meeting today, this is a *call for adoption *for
> the *OAuth Proof of Possession Tokens with HTTP Message Signature* draft
> as a WG document:
> https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/
>
> Please, provide your feedback on the mailing list by* October 20th*.
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe
> <https://preferences.forgerock.com/>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email