Re: [OAUTH-WG] Server cret verification in 10.9

John Bradley <ve7jtb@ve7jtb.com> Tue, 24 January 2012 22:24 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DFB1F0C35 for <oauth@ietfa.amsl.com>; Tue, 24 Jan 2012 14:24:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lqi2uW6uEuC0 for <oauth@ietfa.amsl.com>; Tue, 24 Jan 2012 14:24:20 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id EE11821F85C0 for <oauth@ietf.org>; Tue, 24 Jan 2012 14:24:19 -0800 (PST)
Received: by yhnn12 with SMTP id n12so2267401yhn.31 for <oauth@ietf.org>; Tue, 24 Jan 2012 14:24:19 -0800 (PST)
Received: by 10.236.93.4 with SMTP id k4mr21038437yhf.114.1327443859517; Tue, 24 Jan 2012 14:24:19 -0800 (PST)
Received: from [192.168.1.213] ([190.22.35.180]) by mx.google.com with ESMTPS id q29sm48545473anh.1.2012.01.24.14.24.15 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 24 Jan 2012 14:24:17 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: multipart/signed; boundary="Apple-Mail=_01B45CF7-77A5-42F0-93E2-149EFEB8A80A"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4F1E2639.10902@stpeter.im>
Date: Tue, 24 Jan 2012 19:24:12 -0300
Message-Id: <494090F8-EEC5-4156-B372-D06745E01552@ve7jtb.com>
References: <90C41DD21FB7C64BB94121FBBC2E723453AAB9653D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4F1E2639.10902@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1251.1)
X-Gm-Message-State: ALoCoQlhzTJw65nBrqWr8O7hcW8kJXSZgyqqbOGnakTdMbxF2HuAueE0OAHYNnQlYRRPi6c7YZi0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Server cret verification in 10.9
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2012 22:24:21 -0000

We added the reference to RFC6125 in openID Connect.

The Client MUST perform a TLS/SSL server certificate check, per
	    <xref target="RFC6125">RFC 6125</xref>.

We wanted to be more general to allow for non http bindings in the future.

If you don't do it in core, every spec that references core will probably have to add it.

John B.


On 2012-01-24, at 12:32 AM, Peter Saint-Andre wrote:

> On 1/20/12 4:46 PM, Eran Hammer wrote:
>> Stephen asked:
>> 
>>> (13) 10.9 says that the client MUST verify the server's cert which is
>>> fine. However, does that need a reference to e.g. rfc 6125? Also, do 
>>> you want to be explicit here about the TLS server cert and thereby 
>>> possibly rule out using DANE with the non PKI options that that WG 
>>> (may) produce?
>> 
>> Can someone help with this? I don’t know enough to address.
> 
> The OAuth core spec currently says:
> 
>   The client MUST validate the authorization server's
>   TLS certificate in accordance with its requirements
>   for server identity authentication.
> 
> RFC 2818 has guidance about endpoint identity, in Section 3.1:
> 
> http://tools.ietf.org/html/rfc2818#section-3.1
> 
> RFC 6125 attempts to generalize the guidance from RFC 2818 and many
> similar specs for use by new application protocols. Given that OAuth as
> defined by the core spec runs over HTTP, I think referencing RFC 2818
> would make sense. So something like:
> 
>   The client MUST validate the authorization server's
>   TLS certificate in accordance with the rules for
>   server identity authentication provided in Section 3.1
>   of [RFC2818].
> 
> Peter
> 
> -- 
> Peter Saint-Andre
> https://stpeter.im/
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth