IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Mike Jones <Michael.Jones@microsoft.com> Fri, 08 October 2021 20:36 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9A973A0866 for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 13:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1TlXH-BR81E for <oauth@ietfa.amsl.com>; Fri, 8 Oct 2021 13:36:36 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (mail-oln040093003005.outbound.protection.outlook.com [40.93.3.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91F363A085F for <oauth@ietf.org>; Fri, 8 Oct 2021 13:36:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LaXYLoBSoAK6cMPGZ6NLF4dy4lwwMaPUw1UpC9W1vnpiZUCC/aYVg1O0Et9+SPoJW+YgSdyBpJ9hkSixmY8cUWB6pT9v8Q5LON4w9etMjPf2gkglZPE9kp4FXq1gA8BnPgU4a3CL19ECNgCXtVjjEB4VuPtlCt6suPt8tu/h7FOD1m+Llq73K2X6sgTXguJm1fAtJHqM8Sbix/nmAcjSu5vQD7lp5Xlvkfd/fn40d1DrhWjcNEZNWzT6TKO3nWwmAna+F8ZaAOhZ5jydBGX+z7BFUcF34GIHx1mH4MdqBpVIh7YUFqR1fmcdaH+Vri/oKjDQqGnh+nWgHH3hYWzp3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R4JOsF1oqWCrumlHkUltXD/QWS8l5K6RazmU95IiDbQ=; b=NoNW69ITuXVxuKdVErNNadTG6C/uwoLPheOWO8s7oaLRZyyX+2Bw0tCN6wLmBeoQTFPwDd66AN0Fq37fEgd549A9Z/mZ0/ECo3R7v54OMAKVqu9IAqBqUWj3F5PwmZNWpaTxsxzhi0VtPv6bipkwWYGwBoEWvpvJadErysiqqqDpWwV7fh991zA+d13LQHzd7p3GXNOdArjpsekjcfhCVcqQTUvFHyZ2MaR4lsuRMz/FrmumLUJmg6Mb+FHqFAQV50rcEfz8pwWIcZyZHZURxCnV3ZRcF5nv0FosDlYbgpCBKKfjl2A805z2Pi2h8/hILJmd+pv5sqrSQtVyCcpoVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R4JOsF1oqWCrumlHkUltXD/QWS8l5K6RazmU95IiDbQ=; b=AXxZ3ZOlEgjhyDnKLtsHOvQAwXGU6/0hdTarDTuxzbu5roueuIf5FGjtDJ05KiMJL7gacGnPqe1Ihf6Wzyx39K68MaXz7WFUbnouQuGzW44LwC5zF9qShxSr+ao8SoMBQQkgLiKVzwWXP+x+g1DV5YkmNiCli4r5qIKI4rQiDQY=
Received: from CO1PR00MB0996.namprd00.prod.outlook.com (2603:10b6:303:97::16) by CO1PR00MB1340.namprd00.prod.outlook.com (2603:10b6:303:15d::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4629.0; Fri, 8 Oct 2021 20:36:32 +0000
Received: from CO1PR00MB0996.namprd00.prod.outlook.com ([fe80::c166:3b90:4616:5bc]) by CO1PR00MB0996.namprd00.prod.outlook.com ([fe80::c166:3b90:4616:5bc%7]) with mapi id 15.20.4629.000; Fri, 8 Oct 2021 20:36:32 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "jricher@mit.edu" <jricher@mit.edu>
CC: "rifaat.s.ietf@gmail.com" <rifaat.s.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
Thread-Index: Ade8g/ib6VhPp3+JRu6yeF/fttqLWw==
Date: Fri, 08 Oct 2021 20:36:32 +0000
Message-ID: <CO1PR00MB09966C91ADB5CE40D3BCE9AAF5B29@CO1PR00MB0996.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-10-08T20:28:36Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=9e275c2b-64f0-4b61-9ed8-89c55b0c3b69; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: eeff8456-f554-4cf5-02f4-08d98a9b506d
x-ms-traffictypediagnostic: CO1PR00MB1340:
x-microsoft-antispam-prvs: <CO1PR00MB1340BC8B14248723A1E9A51FF5B29@CO1PR00MB1340.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wn0mkHZJaBz3+OBfxa/8ek/xC71/6xwKOO1tA7le5BpNJGwomCLoPHx80Sn3Cu1xBOp1dN/WFSby+P7U34qsnxsiUIByeUYVnKtMhAW5K83GFPRYG8YB+s59bG2ywwVUsdo8/484ZJPQNw8n8Dw3j/9sH8I5G4z5fK9bLz8FsHLAAaXP7wHsHpBIJJfPm2uREp3j1CzWqduDr4zxPbnpDwAMSCi/POdJw6VeB69LZjbLi3KKgw4Qc1b5a853ediRJs3irnm8adlpjP3kRee9jeoTx7Q5E5FMcY9cNyVlnuavkRUj2A6Q0mVVm/15AfN3tM9ZYMu55BQCtbjymFQbHm7sX+UdDT0qACA0RQXl1VLS77bnJ1mutl5Ej+LrJnwTbR7dQI/I4EKFZdeJQsel3rUC6QfJaXXaQLlqPbMP+D+e9gcz38yVhWHBjZA990AyQ3IJAPlX1y3xT8xCcvrteco1A+iHPXnbD12Z22TvNkjGPf4LPydjlsfHWdGNW2KHQaQazkb54EBPS/LE5Ppj+I1nX+kDEMLaG4gJpLEhPJqdNyu24ntuFxaMjmIMcNivnnxCsq0wHm+K8iDrgJvakhzxwVru/wbDfe/99vVpDeqbu4+//lkQ5GljZ2wO8u3sONgMTk361ky5TDRjDmUjLWLUf5f5JS+I7gGrkKxeupHg6GMk522OxQLu6Uj/Yj8r0ikdbYJl1eey5zzc5sVnuzOviCl3CKhrasmCnMl2VVEGG8EcptsN4fGFS000L98zndokagCLAxjVZQ0bWTBYuEZuoP0J4F6TH8LwIcgTRue0UGijpk2tGnJQ9DxuA3nLKG8SXBGgFFrYje67xuWcAQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR00MB0996.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(186003)(54906003)(316002)(66946007)(76116006)(83380400001)(66446008)(64756008)(66556008)(66476007)(6916009)(71200400001)(966005)(7696005)(508600001)(10290500003)(5660300002)(53546011)(6506007)(86362001)(9686003)(52536014)(82960400001)(82950400001)(2906002)(166002)(122000001)(38100700002)(15650500001)(33656002)(8990500004)(38070700005)(4326008)(8676002)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: c/bjBeISNxH7+pT6emaoc0t3QHzF6XhII7QEEOqDb0/M0BljZLDPfNkWcpZXXylTthuTBvPlBBaZyQIZkqlkB3XNgvp8Ul/QUsYoldQkKWlYg47dfNAPtpzBgAhBOEhlxPrR/iFe7S19Kh8/uoud64pOO8U+RsgPv3P7mOaPPjQe3oErXB3UWwZtSVaVr2CbPLa+HJjyCrpSFV9NqzCQVYQwVrjgfmcSiFTMoyFo5aR4RVHmf6Ep3JAO+vFIsj9+bFRW044FRHHJhzbKC3l4GDlw7LsS4tfwyo2g6Tg0MnmcavIFjs3DbK+1oNUZwRukPftgN/Rqbjc76a33u/ZiarN5d2ZZjGvymdIqSHhgw4UrhyM+1lzdao2gulJhy9tLymwqHucDs0DCeFFpAfrUQs6EtzTmLqBaQmi8FaYXe9znMbdqTza88CLuIU7m7keXSR1mHL+scCTGZqgGd3yZv9kG7czWHIV6HctY/7mJtiIMhAK3b0Hgqf3nKFStYZLXZf/mPKmzSw5OCnVUWD75I0JZRgWj7RH1HwrYO723KXHMIt2oPvKLWrjrtIYzKbS6rt2MghfBfDcXkXsNjcKunvlAdxrEvpSunVrAdM1v77u11UWMoYrXn2ttUVRvxQhW5/nPKzXhxoiW7bFpBIhSbEyvvADAwzsokyGLsxBUbBG47m/vSo/SYc6LbGCvrnPF12L0LVJPOJvJvMrcdlNMDOZfPaApch2yzpuiDSWIQqQ83cNNxld56T3G3kUzH8jfHt+BU8U/8yDGevqFSwzRNRuxg/YDXk/cVUOvsiSgHRCfJN1sun//pHuY9b9pJKg5amkuuQE9wFYaPfV4HMIz0mJUZgFRI2iHFJtcNAqSaAnp2qtllvqrGWEVlU9TIbh02moajwURV685prmGyAerH2DZknQ1wssSEr1KOgXquvz32h4Jt3GfnIXzZNbcqrjecxZlnWKPImugz63K0Z6b53D/tU+VfA5afXJbttGH7GjqUAKt8aC38KPYWkUi84jGSqP2rZdpC5asPj7ExiO2DLdGEknUZ5zXdb33IPr4Hg85Dg8WUw9ouQ6PNnwxUEk0cS2SReeH5FZq2q+6+HlhyTTtnPhsa8ammEdopOeTTtWAIFyL4+G1h9dbxvoYhhW/e6mBGcCMW89EsS03Xju/EN+9HWR/HpAuaEC+5fiA2fDGEeCfOf/hBmn7+E9NbLxeWauL9M+ttGqHgAY6k2K69Bgqou+0t5cSKmJKrd1BRJCK2AGIhqr5bEKnBXZQXuTmToA8RSj9GB5pvsAXd/vIwHVD+fWixyMdgFf2kChv3MIFRGJGpIj2x9nquG1hlyqmLWo81T1wCdECyoF10yW7mj/bBoveyQociffW4eVB1XTZOxLqSLrhBiA60GXvZ4dO1IKg1HIRUkSG44NhzBIKuG2p1WXltqqSDK/k4LKoOXa0X0qhI2j+U5ZjAOgQT2x/I8GzDzBYLLHe1dScyrzfTMIkdqDxQf/ix9WwQdR0u+qTkjqAdoBy5N7QMA53SmAAwMMPdnx7QAvk7R20E9I3tUv9DBS5vlbNT2oAChLMF4gD2AKDOwYGoD84CGvT/pqEsKl6WpbTFooQrzHNxORziDk6GmCMJFBQmu/L1FRjRI5mToosKYfhRE0EAWMwSrrqj8gAXD2hE0IXdItHbl0lffGo7/JzpWNIA5aPw77F05U=
Content-Type: multipart/alternative; boundary="_000_CO1PR00MB09966C91ADB5CE40D3BCE9AAF5B29CO1PR00MB0996namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR00MB0996.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: eeff8456-f554-4cf5-02f4-08d98a9b506d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2021 20:36:32.2256 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UEMhUrR2vYG2tbrn+KHlJN8pwCS6fiiMzLvjEPs+kTfaoPjARzguPuQl+rds+5LHSZPv5TEZgcVkdvJtMDKwDw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR00MB1340
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oCGifxQu8idJV3R-rE0BIh_7rOw>
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2021 20:36:48 -0000

I understand the layering that you’re describing, Justin.  That said, all the complexity of OAuth 1 and draft-ietf-oauth-signed-http-request are still there *and more*.  The complexity is just moved to a different draft in the HTTP working group that the proposed OAuth draft in question has taken a dependency upon.  The HTTP working group draft is a fully general, all-singing, all-dancing HTTP signing draft that will be even more difficult to obtain interop on than OAuth 1 or draft-ietf-oauth-signed-http-request were.

Just like canonicalization schemes inhibit interoperation due to their sheer complexity, HTTP signing schemes do the same.  We should discourage realistic systems from taking dependencies on them.  Therefore, we should not adopt this draft.

                                                       -- Mike

From: Justin Richer <jricher@mit.edu>
Sent: Friday, October 8, 2021 12:23 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: rifaat.s.ietf@gmail.com; oauth@ietf.org
Subject: Re: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

Hi Mike,

One of the major benefits of this proposed draft is that it does not try to solve the problem of HTTP message signing — which is a huge problem unto itself. When I wrote the original draft-ietf-oauth-signed-http-request, I wasn’t able to write it to depend on a general-purpose HTTP signing spec and so it had to invent a mechanism. OAuth 1 worked on signing just query parameters and lots of things in the front-channel, and so invented its own mechanism.

Now that the HTTP working group is well on the way to standardizing the HTTP Message Signatures draft as a general-purpose RFC, the OAuth working group doesn’t need to solve that problem anymore, and that’s a really, really good thing. We aren’t the right community to get that right, and the two previous failed attempts you point to prove that better than anything. That’s exactly why this draft is NOT going to do that, at all. HTTP Message Signing exists, people are implementing it and using it. It makes sense for the OAuth working group to define a way to use that work in an OAuth context. We are not and should not try again to define a way to sign HTTP messages.

That said, we know that DPoP invents its own way to sign an HTTP message, in a limited fashion. It has clear limitations — it doesn’t sign query parameters (which are likely to be important to many API types), it doesn’t sign headers, it doesn’t sign the body, etc. Even with these limitations, DPoP is useful, and I still argue that instead of trying to extend DPoP with a bunch of other things, we should let it exist as the clean point solution that it is.

This draft is actually significantly simpler than DPoP precisely because it is not defining an HTTP signing mechanism.

 — Justin


On Oct 8, 2021, at 2:24 PM, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>> wrote:

I do not support adoption of this draft.  OAuth 1 failed because of the complexity of HTTP Signing and the resulting difficulty of achieving interop.  draft-ietf-oauth-signed-http-request was abandoned by the working group recognizing that it was resurrecting equivalent complexity to OAuth 1.  The proposed new draft is a third crack at the same thing that’s not sufficiently differentiated from the previous failed efforts in my mind to warrant us spending time on it.

Also, note we do have draft-ietf-oauth-dpop, which solves the actual proof-of-possession problem for OAuth in a narrowly targeted, focused manner.  That draft is active and in good shape.  We don’t need a more general, more complicated draft solving the same problem.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Rifaat Shekh-Yusef
Sent: Wednesday, October 6, 2021 2:02 PM
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] Call for Adoption - OAuth Proof of Possession Tokens with HTTP Message Signature

All,

As a followup on the interim meeting today, this is a call for adoption for the OAuth Proof of Possession Tokens with HTTP Message Signature draft as a WG document:
https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/

Please, provide your feedback on the mailing list by October 20th.

Regards,
 Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email