Re: [OAUTH-WG] MTLS vs. DPOP
Daniel Fett <danielf+oauth@yes.com> Tue, 07 May 2019 14:50 UTC
Return-Path: <danielf+oauth@yes.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A44E120161 for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 07:50:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yes.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gaBwW_2213c for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 07:50:37 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49615120158 for <oauth@ietf.org>; Tue, 7 May 2019 07:50:36 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id p21so20832913wmc.0 for <oauth@ietf.org>; Tue, 07 May 2019 07:50:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yes.com; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=VvyxpulNFyRFBpJTNBgkEi+OT+yuw2SbbYsCwd0fnTY=; b=v3h+RXWHZK+3IhclHCr3jx8f27Z0itL06YhVtDVpjBCUBhDjCxYnKMWAC67GEL5xxO Fb7R9DLGoc0FY1ZOU0E0gNRTkCqU6isol5WelCeZ6owbFsnlFn4WeHo0/d/RdyuSSC6q E2yYa3JmOqd85x24aZCs+fql0zQseQPFh/klYgpegIU/hzgH8wkY13OwtNJhUhMeVPt9 406wcDBl1Z3PEimsSGzuhQrtV/S0vwqMf+SQq+S5AvPj/3dW/pnelQwn00S/A5huY5SH E8LjG4cqy+MDDGVMqQGLfK9VeWBlBisyR1CBpNlsqD0xRSSRukZ5ExaJQOIq74VcuY1+ ME1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=VvyxpulNFyRFBpJTNBgkEi+OT+yuw2SbbYsCwd0fnTY=; b=G2cbIYaVSBYwtdoQtU4h/WoqUSRNJzJKr1aD0kfymgEil69xvdSg34o9ChqFsGKpgd aKGLtvQfAlPvi4uRtKr1+svVQUB+fEoq8xUmVGaJH43w2jk6ZoLPGmKGwXWlJ3MroO/i 0KBDaKehEez2kXGHSVjCWkehhzMHdE+vP7NMLgSCzY8qh6er6zVlVqOItyqdj+qR9uf+ +yCJA5FyPMmOrD3GZ7gXzSwZqiDqWtK1mMhJs/daNA3ZxjpSd9zMxYM/E6IuFVerP5sD I9H+5zYDN/DFhyazcwVy74wB/5XR+WnonS7KFze8LarifNtAIDTJ/RVwKuIFMowN/moi RPPg==
X-Gm-Message-State: APjAAAWnyUIvi1qtMNZbmp8cEqYpCGfYzpFVwd3KkcMmwBkzC4njOsLU ZFOzmVXEwirN7nNol0/vklboE8GszQM=
X-Google-Smtp-Source: APXvYqxMC3cjhzlxWLMeSjSlXb1bdTwdcRKXspIZj0BV3/ri6XMp65BnFVTblwXOxMdaHIxdjZi4Tg==
X-Received: by 2002:a1c:99d5:: with SMTP id b204mr20572753wme.141.1557240634345; Tue, 07 May 2019 07:50:34 -0700 (PDT)
Received: from [10.3.12.228] (gate.haus-staade.de. [80.155.34.3]) by smtp.gmail.com with ESMTPSA id s8sm3721687wrm.26.2019.05.07.07.50.32 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 May 2019 07:50:33 -0700 (PDT)
To: oauth@ietf.org
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com>
From: Daniel Fett <danielf+oauth@yes.com>
Message-ID: <8ead12b0-2098-e032-fc6c-27fb8bf1205a@yes.com>
Date: Tue, 07 May 2019 16:50:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <31bec10c-e245-12b4-c092-2928b8e286d7@aol.com>
Content-Type: multipart/alternative; boundary="------------CE8955A35177A8774418B775"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/j8kC7CLC8QLPs_jGDXi7cEJ4JkU>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 14:50:39 -0000
Am 07.05.19 um 16:12 schrieb George Fletcher: > I don't see them the same at all. With MTLS, the token is bound to the > transport layer (and the key used to establish that encrypted > connection). With DPOP, the token is bound to the private key known to > the client. They are certainly not the same, and as you wrote further below, MTLS is more secure. I also wouldn't call one of them the superset of the other one. That said, they are similar in their functionality. One could, in theory, use MTLS on the token endpoint and DPoP for the resource access and vice-versa. We could specify both, MTLS and DPoP in a single document. But I am not sure what the added value of that would be. Pending good arguments for a merge I would propose to continue the work on both, MTLS and DPoP. They both have their merits. - Daniel
- [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP George Fletcher
- Re: [OAUTH-WG] MTLS vs. DPOP Daniel Fett
- Re: [OAUTH-WG] MTLS vs. DPOP Vittorio Bertocci
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Brian Campbell
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Benjamin Kaduk
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP David Waite
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Justin Richer