[OAUTH-WG] Re: Call for adoption - PIKA

[Giuseppe De Marco <demarcog83@gmail.com>]

Ciao Tom,

Public Key Infrastructure satisfies the requirements to provide public
keys. Technically, using X.509 certificates represents a consolidated
approach.
Giving public keys doesn't help in establishing the trust or fully proving
the compliance to shared rules, that's why openid federation authors insist
that openid federation is not only a pki.

TLS is not removed, we use X.509 based pki on the web, therefore also using
federation.

TLS is used to establish confidentiality with an endpoint, establishing
trust to a subject only because it controls a private cryptographic key is
similar to the weakness about the bearer tokens.
Therefore, for instance, in advanced ecosystems and implementation is
required to demonstrate the proof of possession of the tokens because
bearers alone are not secure enough. This is more complex but required in
the real wold.

The point is: what is trust, how to establish trust in the real world,
which are the technical layers that we should (even in a modular way) take
into account to achieve our goals. Do we have the same goals?
Don't stop working together, let's keep the conversation to achieve our
goals in an harmonic way.

Il giorno mar 11 giu 2024 alle ore 06:11 Tom Jones <
thomasclinganjones@gmail.com> ha scritto:

> This whole problem did not need to happen. When the federation spec was
> being created I asked them not to deviate unnecessarily from pki. But the
> very guys that are on this thread told me that they were not a pki and so
> there was no reason for them to follow existing rules. This is entirely a
> problem of there own making. So let them fix their own mistakes.
>
> thx ..Tom (mobile)
>
> On Mon, Jun 10, 2024, 8:37 PM Watson Ladd <watsonbladd@gmail.com> wrote:
>
>> On Mon, Jun 10, 2024 at 8:33 PM Michael Jones
>> <michael_b_jones@hotmail.com> wrote:
>> >
>> > We all know that TLS certificates are handled by platform layers used
>> by applications and not the applications themselves.  There is no code that
>> understands X.509 certificates in most applications that use TLS.  They are
>> not equivalent in complexity.
>> >
>> >
>> >
>> > The draft would require adding code directly understanding the
>> structure and fields of X.509 to applications using it.  Eliminate that,
>> and I’ll support adoption.
>>
>> I don't understand your proposal. An X509 certificate is the only way
>> to link a DNS name to a key at a given point in time as we can
>> leverage the Web PKI. Absent that, what do you do?
>>
>> Also, I'm not sure what you mean by platform layers. Many of them
>> expose a function to verify a signature with a key in an X509 cert or
>> verify a cert chain, even outside the context of TLS. Are there
>> particular ones that would have a problem you are concerned about?
>>
>> Sincerely,
>> Watson Ladd
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>