Re: [OAUTH-WG] PoP Key Distribution
Mike Jones <Michael.Jones@microsoft.com> Thu, 05 July 2018 15:03 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B28F0130E7A for <oauth@ietfa.amsl.com>; Thu, 5 Jul 2018 08:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ziWcoxEE6rKF for <oauth@ietfa.amsl.com>; Thu, 5 Jul 2018 08:03:25 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640110.outbound.protection.outlook.com [40.107.64.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE2A1130DED for <oauth@ietf.org>; Thu, 5 Jul 2018 08:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H9hG80EREEmLYOs8JExAu9AzkE+e3XZuOVYlRbSAMOw=; b=Sb8qz7iWbIyT3XsLMVTsmPaldM3y6uMRkhwbhJ3roPYQ5DoGN4np/jcrGuWjPdKQnHdHTmSoWkSw+kXnPiaxVFDHE79gXp4zRQc39sqRh5hGeGhVwuKKUKst4XXnvjlEAgtYurwb/pNcbkKtcnLu1Ha4cCeE0R2VQ3pGzkeeseI=
Received: from MW2PR00MB0298.namprd00.prod.outlook.com (52.132.148.29) by MW2PR00MB0378.namprd00.prod.outlook.com (52.132.148.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.967.0; Thu, 5 Jul 2018 15:03:23 +0000
Received: from MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::9c24:5ebc:cf1a:dc37]) by MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::9c24:5ebc:cf1a:dc37%6]) with mapi id 15.20.0971.000; Thu, 5 Jul 2018 15:03:23 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] PoP Key Distribution
Thread-Index: AdQTBj47ZlOcOW2pSHSpIBiWadk6FgAA3/bgADWyZIAAJC4Z4A==
Date: Thu, 05 Jul 2018 15:03:23 +0000
Message-ID: <MW2PR00MB02981EA3C86ED3715B89A188F5400@MW2PR00MB0298.namprd00.prod.outlook.com>
References: <VI1PR0801MB211213D11E7820FD31218663FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com> <DM5PR00MB029359EBBE81D3899BEA34FBF5420@DM5PR00MB0293.namprd00.prod.outlook.com> <20180704214654.GK60996@kduck.kaduk.org>
In-Reply-To: <20180704214654.GK60996@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.80.188]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MW2PR00MB0378; 6:YnCAIe783PdZANhlO0dmkXSFo0TLwATVAsNgyRpXcv32PF/t9zVfLkfWmaJojtl+SCEjB/xZyx6EV7QcpVB+rKhp2NC64M6EA4iaK/onS4cPf65QCYzGKXSD3sMIfJWuWbXGkF0pHfH58X8uIMxHvzSYsiWKZ4elp4OLpHnZDVW2JV6Vx/ldyz47ygRgZWqcX6ne8sFeVrGdvePZdyaWRZmlMVMtCPslCIFPsvM5ErRBCxOiuWUr77ptoY2nj5Sbh6HgWWswuklue0DmqQQpURRL9SxMVL8AWk3wMO3HluxZ1BFOkOwkmA3EO8PuRVnCVXmFtzeZzG7hZaiwfQ4QtUjnfqtDT5bZDezUmgtSLNfjJOG+nOE7BsUjeeOMrU2P214qyWuubyIGHqiz+VVCtzPC3R0M/3WLgsCD+PmCcV+4AXQAzcUJER1mKMAnPsaIIrmzntNPkspZRQDipkjMGQ==; 5:Fx0gSSt6BKS+RCYcZ8UuvBS4Annc6Uk8qOuYJIN/Do8EkYvGty3QhP8fooc+g5zgnctQejEVYEIQJF7SZxqraGwW0lG9wE59PZnraNiLQmrhqC9jZp1HuC/qXZKzk131qgjGB2FGQwjW+UMDiFvjMqgTKIfx/EffjOV23t5WGNA=; 7:9rL07k7xmgRW6AtStxqouGleiCHDgIa25hOKN783RSMXWh5yjbJlezWuqDlcpE4rm7cuZAEicCwyzzyTZk9KXpXTeUqWDtRZ9E7NGznH0nOxXPQIAMzokk7sN8Lh5rqKbcfSQtGGMaE1nOHt5PO64iI7pKDu+X+9gKeDXCNrJonK4tPs0e5pEmajZafoTXxU2Ni/9rGnOiqdMV7MNf8wE2VOiOPbO20OO2El9IWrfCKnlgFkq0qPThraZ7L0y/4Z
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f7f8da45-e445-42ef-7e13-08d5e2887417
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7193020); SRVR:MW2PR00MB0378;
x-ms-traffictypediagnostic: MW2PR00MB0378:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <MW2PR00MB0378B64FD32DED27A0B5A1E6F5400@MW2PR00MB0378.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(240460790083961);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027023009)(20171027022009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(93006095)(93001095)(3231280)(2018427008)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:MW2PR00MB0378; BCL:0; PCL:0; RULEID:; SRVR:MW2PR00MB0378;
x-forefront-prvs: 0724FCD4CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(136003)(346002)(376002)(366004)(199004)(189003)(13464003)(7696005)(186003)(99286004)(53546011)(2900100001)(26005)(6506007)(8676002)(6916009)(76176011)(6246003)(9686003)(55016002)(5660300001)(6436002)(2171002)(4326008)(446003)(486006)(74316002)(7736002)(5250100002)(102836004)(476003)(11346002)(316002)(6306002)(86362001)(81166006)(22452003)(86612001)(305945005)(478600001)(8990500004)(33656002)(25786009)(2906002)(66066001)(72206003)(81156014)(10090500001)(8936002)(68736007)(14454004)(10290500003)(53936002)(3846002)(106356001)(229853002)(6116002)(105586002)(97736004)(256004); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR00MB0378; H:MW2PR00MB0298.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: qetFb31uIPfQ2XgP9g5nHZJ5ZLrqzXjc9s/XLsmMkcnAvzAncBwmzAvOe3jvWbtrcQfD7/1ib2HcnW1sqALTjR0i9D9a/hMzYi2ejt/atH56+ee/Fq+WkvDw5PiWhRPdCzajoUJq7FDRJX6CwMEQCEzieIDFghsXMWn3K4S8OtlCcuzi/fbBTnMc6tNalhLJ3UQoc5oRtyEenlkJGWfl0Fg1e248g5x/QINlQs2j6QJc3AFoKbpWDOCnj44+azTBb/+d248zOf1A6Q94tot++DDB0paS5reFQ+7cdbEywCTlNaJnSqZ973B5urgzCog49Z2Xu39T9NbHRz8dtrqa8biIAtqAWG70rLAhP/RZ2JM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f7f8da45-e445-42ef-7e13-08d5e2887417
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2018 15:03:23.3078 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR00MB0378
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/H-aGIPC3c1U8idbcipJDQxvXLt4>
Subject: Re: [OAUTH-WG] PoP Key Distribution
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 15:03:28 -0000
[See my reply to Ludwig, since the thread forked] -----Original Message----- From: Benjamin Kaduk <kaduk@mit.edu> Sent: Wednesday, July 4, 2018 2:47 PM To: Mike Jones <Michael.Jones@microsoft.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] PoP Key Distribution On Tue, Jul 03, 2018 at 08:10:52PM +0000, Mike Jones wrote: > > I believe that the ACE "profile" parameter is typically unnecessary > and not in the spirit of normal OAuth. Configuration information > between OAuth participants is typically configured out of band and/or > retrieved from the AS Discovery document (per the newly minted RFC > 8414<https://tools.ietf.org/html/rfc8414>). There's no need to > dynamically exchange a profile identifier when this is essentially > always known in advance. We should not include "profile". For that > matter, ACE For what it's worth, this part of "the spirit of normal OAuth" is something that leaves me with lingering unease. While I do not dispute that this sort of configuration information is usually known out of band or via discovery, we ought to be considering the potential consequences when the parties do not actually agree on what configuration should be in use. An explicit indicator makes for an easy-to-analyze "fail quickly" scenario, whereas leaving things implicit is much harder to reason about. And yes, this case of easier analysis is at the cost of complexity elsewhere, so there is a tradeoff. -Ben
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- [OAUTH-WG] PoP Key Distribution Hannes Tschofenig
- Re: [OAUTH-WG] PoP Key Distribution Ludwig Seitz
- Re: [OAUTH-WG] PoP Key Distribution Ludwig Seitz
- Re: [OAUTH-WG] PoP Key Distribution Benjamin Kaduk
- Re: [OAUTH-WG] PoP Key Distribution Justin Richer