IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Neil Madden <neil.madden@forgerock.com> Mon, 07 January 2019 18:36 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8076512426E for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2019 10:36:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZtjVghaJyBzg for <oauth@ietfa.amsl.com>; Mon, 7 Jan 2019 10:36:33 -0800 (PST)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A98E1277D2 for <oauth@ietf.org>; Mon, 7 Jan 2019 10:36:33 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id j2so1526919wrw.1 for <oauth@ietf.org>; Mon, 07 Jan 2019 10:36:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=T7DtH6owl90w/JJ9BcA+S/q/yEx+B7LMQV75v8lPxWo=; b=bpE9b2XZLzX+dc5LaTzLWy/lfQQzVA6U9OoaYF8XK0hgAqGyrnlioDJWR77OHRya0k WBw36MNyHbx5ezHJseFFFdWAfoL9MBe9pJR7mwM6mHBqi8TKzgsAogLwBf1YTeCnp7yM D9PwnsHxz8lUGUB4KXDBtZPoC3vcNUf9s7baY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=T7DtH6owl90w/JJ9BcA+S/q/yEx+B7LMQV75v8lPxWo=; b=HfbTFk7EMgF14CjfBYhqlla+PDtHWKV1dAJq8NJP5S8SOVOU/2u29MfJn2khQiQnLy ZLRNY3wqS05EcB9wimlxoo/G+WWOA9XThBQfhd+zdN1NOfRcc8sSgHoK079pNZus1VWh 5DgNOELZswDf1Tmr1Z4LMiWnVRvcsFm5k0iZPFH+0GAVCbyfiEPqHbalbLCcSKTFw9Ii 9rl4aMJYVWBPZ2r8a2fnicOPnf46mnUYSqizpLNqc27M5pIBhQ6codP2k2E3ms2zNUmw mHB8g4e0oo4kpnNfBBXYRLYpwvtsJ4QW3O/n4bjHfPpUkYXmbN3c93UdL7SAu/NnqYxo D/xQ==
X-Gm-Message-State: AJcUukfxMZUbjIM3MnX4vwHgWFEWUXBqVzkKlc2UmY5KSCC3Rel7q0KE vNTHhYj26T9nfTb2KOAQCSMvEKOJ9f4=
X-Google-Smtp-Source: ALg8bN5emk7VGkkVNr4t1OSLYnvSHnVSUSP6jkq7W2UorIdw14AIF/XDk6qVvwGoIW4llbWmpaGA9A==
X-Received: by 2002:a5d:524b:: with SMTP id p11mr50325446wrv.147.1546886191851; Mon, 07 Jan 2019 10:36:31 -0800 (PST)
Received: from [192.168.1.65] (92.150.32.217.dyn.plus.net. [217.32.150.92]) by smtp.gmail.com with ESMTPSA id b129sm7557463wmd.24.2019.01.07.10.36.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Jan 2019 10:36:30 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-C071B676-656E-471B-9554-85FD45C50C2F"
Mime-Version: 1.0 (1.0)
From: Neil Madden <neil.madden@forgerock.com>
X-Mailer: iPhone Mail (16C101)
In-Reply-To: <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com>
Date: Mon, 07 Jan 2019 18:36:29 +0000
Cc: Benjamin Kaduk <kaduk@mit.edu>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <34DD1788-FC0E-4BB3-BB4D-198005285A71@forgerock.com>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <20190104215540.GL86936@kduck.kaduk.org> <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kKVdrb2HGJ_aXlfdNmUZjm0MGeo>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 18:36:37 -0000

Thinking about this, given that this is the *token* endpoint that clients talk to directly, not the *authorize* endpoint, it seems already possible for the AS to put it on a different port/host so that users aren’t ever prompted for a cert. Right?

— Neil

> On 7 Jan 2019, at 17:21, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> I don't honestly know for sure but I suspect that employees of big corporations will likely have keys/certs on their devices/machines that are issued by some internal CA and provisioned to them automatically (and in many cases without the user knowing and/or understanding that they are there and why). Those users would likely be prompted when TLS handshaking with a server that presents an empty list of CAs in the certificate_authorities of the CertificateRequest. 
> 
> I dunno. Maybe I was too quick to retract the proposal for the MTLS supporting secondary token endpoint?
> 
> What do folks (including Ben & Neil) think? 
> 
>> On Fri, Jan 4, 2019 at 2:55 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>> On Fri, Dec 28, 2018 at 03:55:15PM -0700, Brian Campbell wrote:
>> > I
>> > suspect that not having client certs set up is the situation for the vast
>> > majority of users and their browsers. And for those that do have client
>> 
>> Is this still true when we limit to the set of users/browsers that are
>> employees of big corporations?
>> 
>> -Ben
>> 
>> > certs set up, I think they are more likely to be the kind of user that is
>> > able to deal with the UI prompt okay.
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email