Re: [OAUTH-WG] little nit on draft-ietf-oauth-security-topics-13 wrt ietf-oauth-mtls
Brian Campbell <bcampbell@pingidentity.com> Tue, 23 July 2019 13:45 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7130120298 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 06:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMVhTZNSpnWO for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 06:45:34 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 801D01202B3 for <oauth@ietf.org>; Tue, 23 Jul 2019 06:45:34 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id k8so81950048iot.1 for <oauth@ietf.org>; Tue, 23 Jul 2019 06:45:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6vp6fOOkCFIILZY3oFlfKSlyxa3b+u7GYJw9GUa8Ba8=; b=LAziYnk/FH3lhp8vnBRGCcC3WGncWB7ZVOa3U/6FAqtLLCIuLKPCO48DlloH+iTqiJ 1hwm1pZc4V9vTgv1BzJT1NfSTwBq4/U1o0HomQU5vlVgl9QIklLcJZqOTGOFh91/f3s2 4QQL+0xw30W8CRP4Ix6Eqwr/vKu1EFzPX7vEU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6vp6fOOkCFIILZY3oFlfKSlyxa3b+u7GYJw9GUa8Ba8=; b=gIo0MO6fOijo9sHeJ0foJuxTwLhrleORFdxQNu8YTa272zAnAAMU36nMlHtN0mpBoR /wCDXJvZxQqmDIpokT5YFS7zu+EBi6lDJWSTZWEnuMjLNow1+muvyZ0+sBV6p0SgCBLe EbL4RAyDGIyrMhrvCLIAL6lsn7ImSutN7TPLtajjmM4vu7b0HubSuNdHqgZwNTK4hPKV uMl4Zl3fowlUy6Dizv0YErRfSY02PdWfn5IPLyqckUQn3LGDMF/j73Pf5MTOa4DHN55f CK2Elf7yJU1brCJz5TXKI3pIZP60lu4FVrnAEc7g0vLVj3IoH0lQl29yhxoaFVuhyTvj T02Q==
X-Gm-Message-State: APjAAAUblXRIy4f6KCLcPQYe+Fvct8k8I07WDPqQKzkDoU4/aGB3Jo9R XU4e9Pnsry7sySQScpOgARlE1+YCUA7RDow9U5TCm9pDlgwj6YX964972zua3bR6gK0o+TQegmY bLb9pr0X4Xep/iQ==
X-Google-Smtp-Source: APXvYqzmXRO/Tq1QakMZJ+uFeoDivH2eGjb5wyxipCwtjkrr36S2PT2BY8Y4WcHnCwvQe3SHGlc0KWZD3E5okpgMiPY=
X-Received: by 2002:a6b:621a:: with SMTP id f26mr63156855iog.127.1563889533676; Tue, 23 Jul 2019 06:45:33 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRkBZ8ehLLBrc4fXhQec=jXb6KLqstN2b-N4r9yuVqA9w@mail.gmail.com> <095d6849-38c4-6f02-2a1a-4c16255c498c@yes.com>
In-Reply-To: <095d6849-38c4-6f02-2a1a-4c16255c498c@yes.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 23 Jul 2019 07:45:07 -0600
Message-ID: <CA+k3eCSS779LXBO0jpWr9yCnMjZtZ5zKCaER_JyMTREY5En9Ww@mail.gmail.com>
To: Daniel Fett <danielf+oauth@yes.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001f9033058e5968c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/muDCdBxJdVdXpDRaJ-e-aAUMlSg>
Subject: Re: [OAUTH-WG] little nit on draft-ietf-oauth-security-topics-13 wrt ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 13:45:48 -0000
One more thing I just noticed is that RFC8418 is used as a reference in a few places that I suspect should be RFC8414. https://tools.ietf.org/html/rfc8418 : Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm with X25519 and X448 in the Cryptographic Message Syntax (CMS) https://tools.ietf.org/html/rfc8414 : OAuth 2.0 Authorization Server Metadata On Tue, Jul 23, 2019 at 5:19 AM Daniel Fett <danielf+oauth@yes.com> wrote: > Thanks Brian, I committed a fix for this. > > -Daniel > > Am 22.07.19 um 20:36 schrieb Brian Campbell: > > The description of I-D.ietf-oauth-mtls in > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.8.1.2 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.8..1.2> > talks about binding to and checking against the fingerprint of the public > key from the client certificate. However, > https://tools.ietf.org/html/draft-ietf-oauth-mtls-15 uses a hash of the > whole certificate rather than of just the public key. > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] little nit on draft-ietf-oauth-securit… Brian Campbell
- Re: [OAUTH-WG] little nit on draft-ietf-oauth-sec… Daniel Fett
- Re: [OAUTH-WG] little nit on draft-ietf-oauth-sec… Brian Campbell