IETF Logo Mail Archive

Re: [OAUTH-WG] Signed JWK Sets

Ethan Heilman <eth3rs@gmail.com> Thu, 11 April 2024 00:13 UTC

Return-Path: <eth3rs@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4335DC14F60F for <oauth@ietfa.amsl.com>; Wed, 10 Apr 2024 17:13:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4qyQCGkwCvJ for <oauth@ietfa.amsl.com>; Wed, 10 Apr 2024 17:13:13 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35759C14F604 for <oauth@ietf.org>; Wed, 10 Apr 2024 17:13:13 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-56fd7df9ea9so1312044a12.0 for <oauth@ietf.org>; Wed, 10 Apr 2024 17:13:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712794391; x=1713399191; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bxWoWIpYwZ9DCU/DM2aZ8Fkr7vmUfV9/zq2hnRDaVUo=; b=jk38NybDZNDDHgDfHiRVKSgKBXgr37qdkDk0Q+Gdv2O08c3Qy3+7BaCb6XABebOIOF PA4YT7inAYqB5XOihOTrySz4swU3wzCTuPUDG6yXOsclNh9EhOGZO1fLhAQ/rkTyOpbn jXvQtO4vwVBOEobTUZYe37JbBe5n/Agt26FK3nlUBVElLBDrSVpgcgUVdilezRc+aiEE UEeB+H3n+xBV5DhghEBHKSrwEoxqbJI0JHFsRsNJF+u1noVo7Z5Bpw0g2o9ltZhHfr/I X+9OGZZ+/BXXnwtxW8jXDrZljX1NxaZ+oqAJK2IRLaUbIwbIdefRPimGSQCiOkCyUCS3 YJYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712794391; x=1713399191; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bxWoWIpYwZ9DCU/DM2aZ8Fkr7vmUfV9/zq2hnRDaVUo=; b=HOBaknbVN3LBijk4jNkm/PiAp789mqkQZ2Qty9BCQuubxovsF/68VfZtc+tax2QTXa 3Ve0M41lIW/O+1MqVFEupkaAb8wMFtRQuy/HVAkWlhehDAOslDEZ7FW+rRYK5v7Jd+nE N55PkbDdgkdPtY0QsDGJUpEMRkyl32Qm2XzMfe+oRHMyt+NFFwMj33JxXluHhTdJtfVI BDFi459Qon/zbGQSnNVXnVFXX5E/T/QH4XZuLIp/WvgMIAhObW3sxBiZtVXGF4EFYNoi fIhzQ/yxAtv1TJhnzaWnIBrSrpBfeBE6JY3mKgwHiL/XZ1NBkEItGyGXADy8ePwo+s/R JrCA==
X-Gm-Message-State: AOJu0YwVGiDT73j/6iK5z2mVo19QfjJ6LI9mBvRjY3Rw+c+I76K/TqJq JCsZWX+p3j8uK46Bjd+2OX6sbjfX/WKg6dPPG3fMlTyeYixqrFi6WDglfmAsaIcjeBYfKjIsYPp aoqoTz5IJXazqrRqaam/L3K70QBogp500
X-Google-Smtp-Source: AGHT+IEtF0UZemVD0JHOujHQZBXAR0iprvUzewi2SBz83jDNWjNwERp3P/lhYoxCv0BvGs8CzPL+1zLyLZ0xkU9Y5OE=
X-Received: by 2002:a17:906:553:b0:a4e:5bb4:48ba with SMTP id k19-20020a170906055300b00a4e5bb448bamr2091259eja.60.1712794390492; Wed, 10 Apr 2024 17:13:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com> <CAL02cgQG4Fhn2zCmq0EFLJReB_jf257msdM9OEgYr03n6D1qRg@mail.gmail.com>
In-Reply-To: <CAL02cgQG4Fhn2zCmq0EFLJReB_jf257msdM9OEgYr03n6D1qRg@mail.gmail.com>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Wed, 10 Apr 2024 20:12:34 -0400
Message-ID: <CAEM=y+WEgqLa7+0jreqHTK2UjueEWU+hJ05peuO6wSzyQ4WN=Q@mail.gmail.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Cc: Sharon Goldberg <goldbe@bastionzero.com>
Content-Type: multipart/alternative; boundary="0000000000003801cf0615c7050d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mZG-4H0X4bYnDNL49UdJHHCBSuI>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 00:32:02 -0000

I want to voice my support for this draft: Proof of Issuer Key Authority
(PIKA). The ability to reason about the past validity of JWKS is extremely
useful for using OIDC in signing CI artifacts and e2e encrypted
messaging.This includes what we are building at OpenPubkey (
github.com/openpubkey/openpubkey) and also proposed security improvements
to software supply chain systems like SigStore (
https://arxiv.org/pdf/2307.08201.pdf).

I want to underscore the value of PIKA to increase the security of JWKS
URIs and OpenID Connect. Currently if an attacker compromises an OpenID
Provider's JWKS URI the attackers can substitute their own public keys and
impersonate any user to any relying parties who depend that OpenID
Provider. The effects of Google, Microsoft or Okta's JWKS URI being
controlled by a malicious party for even a few minutes could be
devastating. The widespread deployment of PIKA would remove this risk and
require that attackers compromise not only the JWKS URI but also the PIKA
signing keys.

As part of the OpenPubkey project, we are planning to write an
implementation of PIKA and looking with excitement toward this draft.


On Tue, Apr 9, 2024 at 3:33 PM Richard Barnes <rlb@ipv.sx> wrote:

> Hi all,
>
> Thanks for all the feedback on-list and at IETF 119.  Sharon and I took a
> second pass at this idea and actually made an Internet-Draft this time:
>
> https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/
>
> The new draft is focused on "Proofs of Issuer Key Authority".  This new
> framing is based on a couple of important bits of feedback from Mike Jones,
> (1) that OpenID Federation had already defined most of what we need, and
> (2) that it would help to be clear that the real focus here was on
> replacing HTTPS with JWT as the proof that a key is authoritative for a
> given issuer.  Given that, we reuse the "historical JWK set" format from
> OpenID Federation, and of course, focus on the "key authority" issue.
>
> Obviously, more feedback is welcome, but especially on whether this would
> be a good thing for the OAuth WG to work on.
>
> Thanks,
> --Richard
>
>
> On Sun, Mar 17, 2024 at 1:55 AM Richard Barnes <rlb@ipv.sx> wrote:
>
>> Hi all,
>>
>> A few of us have been considering use cases for JWTs related to
>> Verifiable Credentials and container signing, which require better "proof
>> of authority" for JWT signing keys.  Sharon Goldberg and I wrote up a quick
>> specification for how to sign a JWK set, and how you might extend discovery
>> mechanisms to present such a signed JWK set:
>>
>>
>> https://github.com/bifurcation/redistributable-jwks/blob/main/draft-barnes-oauth-redistributable-jwks.md
>>
>> (Just in GitHub for now; will publish as an I-D when the window reopens
>> tomorrow.)
>>
>> If we could get this functionality added to OAuth / OIDC, it would make
>> these use cases work a lot better.  As a prelude toward proposing working
>> group adoption, it would be great to know if this design seems helpful to
>> other folks as well.  Obviously, happy to answer any questions / comments.
>>
>> Thanks,
>> --Richard
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email