Re: [OAUTH-WG] OAuth Digest, Vol 177, Issue 24
Walter McGhee <silverbackgodx@gmail.com> Fri, 28 July 2023 19:08 UTC
Return-Path: <silverbackgodx@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 401EFC15198F for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2023 12:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lz1kV-rxiZGX for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2023 12:08:11 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472E3C151980 for <oauth@ietf.org>; Fri, 28 Jul 2023 12:08:11 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id 5614622812f47-3a3efebcc24so1965465b6e.1 for <oauth@ietf.org>; Fri, 28 Jul 2023 12:08:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690571290; x=1691176090; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=Vqlu/dy6dVQS7w8Cgyei4dw9LNTwCf97S+3zU8r61Vo=; b=A/ZY6/QH8VZ1LzbwWqSN5eupRnfYePd6llzB64cLtuhREkQ0uH6kVKmpLGbVgYfx/P k2R4PIdrdIE+whIGWCvsRdbxDrFJqL/6AIldxxvRCkT+H5LYR3yTNld6SDMh6yQe9+Dn iPZOH0uKTUSr6IoijbO7w5FacW8am45h9ISwxDREfc1bMv+QxGLhknwjuOWUpSjs0+1i cD2+7T863NqVGttRn3RowJYWBjJtOdy+caUwbS5sWr6YrfiiPtdgs2vYSuAyd0cQfkor 1DTcwPlahLDXkw03i7RaqKmYuGYMZSlGiuDKp122684KH5agrt+Xtgj9rWgf7mOixZ4i q2gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690571290; x=1691176090; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Vqlu/dy6dVQS7w8Cgyei4dw9LNTwCf97S+3zU8r61Vo=; b=LUfK7TMfPbM2NBseaOna7QadvBYiXxLNqB4yZT2i38AxQW46oGnvALIv7+VLkPMWOt t1i3mB4T+fajDOnhdAgfkwn4ZK4+lB5sYvhU+EEtw29SAZRon2ye5BFVJNSUKmnH/a9o vRcSmjoDWgBlLyOBDSJcDyZUNuLPyQL+/SRbxKfOjrA4mOR4wNa2Q/kTb1E2lmvQLC2M WC1Bh1+FMWh9mRiNl1sYUo+gVmLAzhWCScuwTosj4uo6HNllY5DuKYk4g2tbzWsy3aCD 87+PuxrqsXoXOrSfys5fUJ5DSkvc2wSz2kXsnum3lbUnYj/S2T64eFTMzOM85/juFQMy yYoQ==
X-Gm-Message-State: ABy/qLY8B/wnxit8MfqXHn9LcDc0brsXiibfBhNqrpQohWJ04ymHclAH RdtRbBzScAlxioVcEyTmS3e3lpPYIBc=
X-Google-Smtp-Source: APBJJlGo80Du11q8k5mL8EGIOOdh8+ALCwuG23bcUtYc5iapgzOg7FlDFm0AepCdb5lh6Fp//k8JJA==
X-Received: by 2002:a05:6358:7e9a:b0:139:a0fd:780a with SMTP id o26-20020a0563587e9a00b00139a0fd780amr3267025rwn.12.1690571289667; Fri, 28 Jul 2023 12:08:09 -0700 (PDT)
Received: from CH2PR17MB3542.namprd17.prod.outlook.com ([2603:1036:304:2840::5]) by smtp.gmail.com with ESMTPSA id x123-20020a818781000000b0057682d3f95fsm1239792ywf.136.2023.07.28.12.08.09 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Jul 2023 12:08:09 -0700 (PDT)
From: Walter McGhee <silverbackgodx@gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth Digest, Vol 177, Issue 24
Thread-Index: AWg1MzA5Wm7YJ8fHZ9h5R7v6E625TuMYpyUJ
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Fri, 28 Jul 2023 19:08:08 +0000
Message-ID: <CH2PR17MB354248C16F89E3F33C675068AF06A@CH2PR17MB3542.namprd17.prod.outlook.com>
References: <mailman.99.1690570803.61205.oauth@ietf.org>
In-Reply-To: <mailman.99.1690570803.61205.oauth@ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_CH2PR17MB354248C16F89E3F33C675068AF06ACH2PR17MB3542namp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/n5MrzzC2SVPPkg2WUT-jMfhCHwo>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 177, Issue 24
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2023 19:08:12 -0000
Thanks for the links I will be getting right on it. Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: OAuth <oauth-bounces@ietf.org> on behalf of oauth-request@ietf.org <oauth-request@ietf.org> Sent: Friday, July 28, 2023 3:00:03 PM To: oauth@ietf.org <oauth@ietf.org> Subject: OAuth Digest, Vol 177, Issue 24 Send OAuth mailing list submissions to oauth@ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/oauth or, via email, send a message with subject or body 'help' to oauth-request@ietf.org You can reach the person managing the list at oauth-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of OAuth digest..." Today's Topics: 1. Re: OAuth 2.0 Attestation-Based Client Authentication (Paul Bastian) 2. Feed back on draft-sh-rats-oidc at-00 (George Fletcher) ---------------------------------------------------------------------- Message: 1 Date: Fri, 28 Jul 2023 14:57:37 +0000 (+00:00) From: Paul Bastian <paul.bastian@posteo.de> To: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Attestation-Based Client Authentication Message-ID: <b1cfd321-7998-4fef-ae43-e42d5e365e7a@posteo.de> Content-Type: text/plain; charset="utf-8" Hello Tom, Here is a link to the slide deck from IIW: https://www.linkedin.com/posts/paul-bastian-1970b1195_slides-on-wallet-security-concepts-activity-7056179875635724289-pDXM?utm_source=share&utm_medium=member_android Some things have evolved from there and this IETF draft is one of them. I am not convinced that we should point out in the specification which specific technologies today map well or not as these things tend to change over time, but if that's fundamental to you, I ask you to please open an issue on our GitHub page to track this. Best regards, Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20230728/148306c2/attachment.htm> ------------------------------ Message: 2 Date: Fri, 28 Jul 2023 08:16:30 -0700 From: George Fletcher <george.fletcher@capitalone.com> To: "Smith, Ned" <ned.smith@intel.com>, "hardjono@mit.edu" <hardjono@mit.edu>, oauth@ietf.org Subject: [OAUTH-WG] Feed back on draft-sh-rats-oidc at-00 Message-ID: <CAJnLd9+FRG7DfLK4xrFfVqKwrL0Bf5Y=2Rs4NsX_zmNt9qkhDQ@mail.gmail.com> Content-Type: text/plain; charset="utf-8" Hi Ned/Thomas, Thanks so much for the conversation at IETF on the potential value of combining the attestation work with OpenID Connect and OAuth. Given the spec references a lot of OpenID Connect artifacts, I?ve used OpenID Connect points in this response. However, from an IETF perspective, this would be connected to OAuth and the Authorization Server. It might be useful to map the work to OAuth directly and then let OpenID Connect (which is built on top of OAuth) to ?inherit? the capability. As promised, here is some feedback on the presented draft? Section 2.1 * The userinfo endpoint is an API specified by the OpenID Connect protocol. It?s usually part of the OpenID Provider. Regardless it?s not a useragent/browser. Section 3.1 * userinfo (see previous comment) * End user (EU/Alice) is not an application. In OAuth the end user is called the Resource Owner. The application is called the ?client?. So the Resource Owner uses the client to access the RO?s resources. * Relying Party - generally in OAuth/OpenID Connect the relying party is not looking for attestations. It?s looking for an authorization token to be presented by a client. In the case of attestations? it would be the OpenID Provider that would be interested in the attestations (in this context it may be possible to consider the OpenID Provider playing the role of a RRP). Section 3.2.1 * this isn?t really how the OpenID connect protocol works. In a general mobile app flow, the mobile app (aka the client) will open a browser to the OpenID Provider?s /authorization endpoint which starts the authentication/consent/authorization flow. Once the user has authenticated, the OpenID Provider provides a ?code? back to the native application which then exchanges that ?code? for the ?id-token and access-token? at the /token endpoint of the OpenID Provider Beyond this part of the spec I got confused on how the protocol is supposed to work and who the core agents are in the flow. A diagram would be really helpful showing the core steps. In my view, it?s more likely that the OpenID Provider will be the entity desiring an attestation about the client making the request. This could be just an attestation about the client software, or could also include an attestation about general characteristics of the device (e.g. is it jail broken or not). There are two main use cases? 1. The client is a mobile app in which case it may be able to obtain an attestation before starting the authorization flow 2. The client is a web service (or relying party) and the OpenID Provider wants some attestation about the software and environment in which that client is running. I suspect we can address both cases with the same flow. We might need an initial step for the client to obtain a nonce from the OpenID Provider before presenting the attestation so that the attestation can contain the nonce allowing the OpenID provider to know this is a fresh attestation and bound into the authorization process requested by the client. Thanks, George -- [image: Capital One] George Fletcher (he/him) Executive Distinguished Engineer ? Identity Architect [image: address]8020 Towers Crescent Drive, Vienna, VA 22128 [image: mobile]616-498-8240 assistant: [image: email] genevieve.morgan@capitalone.com ______________________________________________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://mailarchive.ietf.org/arch/browse/oauth/attachments/20230728/05512888/attachment.htm> ------------------------------ Subject: Digest Footer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------------------------------ End of OAuth Digest, Vol 177, Issue 24 **************************************
- Re: [OAUTH-WG] OAuth Digest, Vol 177, Issue 24 Walter McGhee