IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS vs. DPOP

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 08 May 2019 07:32 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6565E120041 for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 00:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lndKlzL_6T6J for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 00:32:53 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.18.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A1312002F for <oauth@ietf.org>; Wed, 8 May 2019 00:32:53 -0700 (PDT)
Received: from [84.158.239.111] (helo=[192.168.71.123]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1hOH4J-0003Vt-I0; Wed, 08 May 2019 09:32:47 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <E48C0E70-46DB-4862-93A0-B92EE1699E25@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_83F680DF-72D5-4259-99EB-14C1877DA8C3"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Wed, 08 May 2019 09:32:46 +0200
In-Reply-To: <93AEC302-1D48-47C5-AA2F-5F21EE8935F9@okta.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Karl McGuinness <kmcguinness@okta.com>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <6A97A589-FB03-4EE3-8403-43D12E82071C@lodderstedt.net> <CA58E903-D591-443A-87AF-B7F5287216D7@okta.com> <132A5A1F-FF8C-4EBE-BF53-66564FB7C7A7@lodderstedt.net> <93AEC302-1D48-47C5-AA2F-5F21EE8935F9@okta.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jLbvCgkR23eZIhEymvAbL4ONOvA>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 07:32:56 -0000

Hi Karl,

> On 7. May 2019, at 22:42, Karl McGuinness <kmcguinness@okta.com> wrote:
> 
> 1) You often need to deploy your cloud edge load balancer in TCP mode and handle your own TLS termination if you want client authentication. 

I like that option since it gives end2end transport security for your application. Unfortunately, that’s not supported by all cloud platforms. 

> 2) There are often many intermediates between your edge where client TLS is terminated and your actual service.  You need to forward cert context from the edge as protected headers to your AS.

That’s certainly true. The mTLS implementations I know all support passing the certificate from the TLS handshake via header parameter. Brian Campbell wrote a draft about this topic for token binding (https://tools.ietf.org/html/draft-ietf-tokbind-ttrp), but conceptually the same holds true for mTLS. 

Clearly, authenticity and integrity of the request between proxy and consuming service must be ensured, TLS in conjunction with shared secrets or TLS Client authentication could be used for that purpose or even network mechanisms. 

> 3) It's not easy to use different trust roots per tenant for client authentication.  

That’s required if you use the PKI mode. I would recommend to use the self-signed mode (in combination with the optional_no_ca setting at your TLS terminating proxy), which does not require any trust root. Given you consider using DPoP, which uses raw keys, self-signed should be fine for you as well.  

> SNI is not supported as a selector via off the shelf solutions and requires a software defined network (SDN) solution.
> 
> On the FaaS side client complexity is there especially with OpenSSL bindings
> 
> 1) https://medium.com/@vaneek/using-mutual-tls-authentication-in-a-serverless-world-3afd19a6fe70

As far as I understand this article, it’s mainly about PKI. So again, use mTLS in conjunction with self-signed certs and optional_no_ca.

kind regards,
Torsten.  

> 
> -Karl
> 
>> On May 7, 2019, at 11:17 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>> 
>> 
>> 
>>> Am 07.05.2019 um 20:09 schrieb Karl McGuinness <kmcguinness@okta.com>:
>>> 
>>> mTLS has significant challenges at scale in a multi-tenant SaaS deployment on public clouds using modern edge technologies/services.  Applications are increasingly being built using Function-as-a-Service/ephemeral workloads as well.  Additional complexity increases if you also want to support "bring your own CA”.
>> 
>> Can you please share the details of those challenges with us?
>> 
>>> 
>>> DPoP enables application level deployment model independent of how one’s edge or runtime is deployed/managed.  This is very valuable for SaaS providers.  We expect to eventually deploy a DPoP like solution for all client models and not just SPA. 
>>> 
>>> -Karl
>>> 
>>>> On May 7, 2019, at 10:43 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>> 
>>>> Hi, 
>>>> 
>>>> mTLS is dead simple to use, secure, is used and can be used on a broad basis (in contrast to the token binding stuff). I also like the fact it provides both client authentication and sender-constraining.
>>>> 
>>>> We started the work on DPoP for the simple reason that SPAs don’t work well with mTLS and we want to provide a solution with somehow limited capabilities, e.g. regarding replay protection (see DPoP introduction). 
>>>> 
>>>> If someone asks me for the default solution, it’s simple: use mTLS. And if you build a SPA and want to do really security sensitive things, implement your OAuth stuff and the RS interactions in the backend of your application. 
>>>> 
>>>> DPoP is in a really early stage, let’s see where it will go.
>>>> 
>>>> best regards,
>>>> Torsten. 
>>>> 
>>>>> On 7. May 2019, at 10:25, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
>>>>> 
>>>>> Hi all,
>>>>> 
>>>>> In the OAuth conference call today Vittorio mentioned that some folks are wondering whether DPOP is essentially a superset of MTLS and whether it makes sense to only proceed with one solution rather potentially two.
>>>>> 
>>>>> I was wondering whether others in the group have a few about this aspect?
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>>> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>

v2.23.0 | Report a Bug | By Email