Re: [OAUTH-WG] MTLS and Native apps Best practices
David Waite <david@alkaline-solutions.com> Wed, 08 May 2019 08:06 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7080712008B for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 01:06:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzBnOHcuJNtL for <oauth@ietfa.amsl.com>; Wed, 8 May 2019 01:06:45 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [IPv6:2600:3c00::f03c:91ff:fe93:6974]) by ietfa.amsl.com (Postfix) with ESMTP id 091B5120100 for <oauth@ietf.org>; Wed, 8 May 2019 01:06:45 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:1c11:55a1:19fa:b678] (unknown [IPv6:2601:282:202:b210:1c11:55a1:19fa:b678]) by alkaline-solutions.com (Postfix) with ESMTPSA id 76A8731764; Wed, 8 May 2019 08:06:44 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <CAANoGh+6TmvJdwY3rnDb_1zHSPX2vvOQkZ-RDpXYca_kG34NGQ@mail.gmail.com>
Date: Wed, 08 May 2019 02:06:43 -0600
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, IETF oauth WG <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4CC45D37-982F-4116-AECF-3C1C0F245B05@alkaline-solutions.com>
References: <9483DDB2-B495-42F2-BE29-38D15E1EEAE2@oracle.com> <DBBPR08MB4539A9D5B918B54B062E2471FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <CAANoGh+6TmvJdwY3rnDb_1zHSPX2vvOQkZ-RDpXYca_kG34NGQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pJmUv3_4MIJpz-jFQSjANOvaVoo>
Subject: Re: [OAUTH-WG] MTLS and Native apps Best practices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 08:06:50 -0000
> On May 7, 2019, at 8:02 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > I believe that for a native app to use mtls via a chrome custom tab or Safari view controller you need to provision a certificate and private key to the system keystore. It is not something that can happen dynamically from the app. > > That in practice is generally done by proprietary EMM (Enterprise Mobility Management) systems like mobile Iron etc. On iOS you can load a PKCS12 file or use SCEP. You can do so with static policies, but nobody does it that way - they use an EMM system. This really limits things to enterprise usage or value-added features for small businesses that use EMM management integrated into other products like GSuite. > I think there are also some issues with the app using the same key, it may need to be separately provisioned to the app as well. On iOS, such certificates will be used by the system browser, but will not be used by an embedded web view or otherwise made available to applications. So, code flow and resource access MTLS using a client certificate at the system level is right out, unless some app-specific mechanism to negotiate a client key pair is used. Mobile apps on iOS will need to use ephemeral keys. The client certificate may be used by the system browser to identify the device, so that the user authentication process can also verify that they are accessing from a device that meets corporate policy. So there’s precedent for a MTLS negotiation with the front channel being used for a different, non-PoP purpose. Not to say that enterprises wouldn’t prefer access be tied to a certificate they know was installed on the device and was requested to be non-exportable - there is just no standard way to do that today. Well, I suppose Kerberos. -DW
- [OAUTH-WG] MTLS and Native apps Best practices Phil Hunt
- Re: [OAUTH-WG] MTLS and Native apps Best practices Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS and Native apps Best practices Phil Hunt
- Re: [OAUTH-WG] MTLS and Native apps Best practices Rob Otto
- Re: [OAUTH-WG] MTLS and Native apps Best practices Hannes Tschofenig
- Re: [OAUTH-WG] MTLS and Native apps Best practices John Bradley
- Re: [OAUTH-WG] MTLS and Native apps Best practices Phil Hunt
- Re: [OAUTH-WG] MTLS and Native apps Best practices David Waite