[OAUTH-WG] Re: Call for adoption - PIKA
Rohan Mahy <rohan.mahy@gmail.com> Wed, 12 June 2024 10:44 UTC
Return-Path: <rohan.mahy@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89090C14F70A for <oauth@ietfa.amsl.com>; Wed, 12 Jun 2024 03:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccjh9pVsQlPS for <oauth@ietfa.amsl.com>; Wed, 12 Jun 2024 03:44:45 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82326C14F6BA for <oauth@ietf.org>; Wed, 12 Jun 2024 03:44:45 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-a6e349c0f2bso658423166b.2 for <oauth@ietf.org>; Wed, 12 Jun 2024 03:44:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718189084; x=1718793884; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=i9yxAFZXD40iecRecS8gm2DjyY4dK7yhwwqtnf1avBk=; b=XEm+Q+uKf15Ii+XI5w4U/rEz92EEanfNrG9J304k9snBZmAKGJE9ogjiKHaIjTv0lo ENFpTpq1U9Ho/LI2hjLNALcwxAoF1XK5fNBVOwWQw0hwsGvrCIArGKVJgSeJ/5/cy0FQ 1e0EYWUeYuZskEmyxzp+OfcbBVqtG91bSDRf04wZpLrRUlwNEzzCP1GcNKEj0NO0QYTB MaLL6FU2exQzNdg8GLLpG+Hr6ZUj8PDh7Kp+4gmEWCElwW30/hjPuvHPhrywtll6o3o5 QSMTRF2Cd3iOoCMvlVE0a+b7ngfuHwBGz7YZ6aQO9PsK+AS0pnRpUcSg5YO2n++BCiR0 PbCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718189084; x=1718793884; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=i9yxAFZXD40iecRecS8gm2DjyY4dK7yhwwqtnf1avBk=; b=lbCpa37dF1fsSqL55x7RfjMK+Gh5qPxkZRTk5kFcLBD7ThLAB7A8G7aGY9l34p/dj8 LALgmBSAbN+ckPz1YeOnK7lfVKlT1daGwWVLXPExf1I3pIxmXPxq2EUSoEWbEM0vxNQj yJxk00YRxMgAFUbtiC9drs1lheO5NqN1IhdzG+5pCnweCsTZB/v+Hsfyl9Thk8FpueIT MSpv6ggt7BOXWQrPLTrwMf5HbQxkeP0LurPfh/DNjOphsRaDvZaPj8JxmOb7mejD2k/2 uTzDrSNVZVlRduAiz+yN+wKHfWOWpATGlZSR9q8Yt56lXL23doU5/KcrAZFHuO3aIWXV slRg==
X-Forwarded-Encrypted: i=1; AJvYcCVIL/B4cBjTp9uAzkTMDd9skg9eaFMTMg6BvsfVaazjPDuhlMCW9yHZw/lBCzEVB797fEJ5O3nR+cNc2TQn/Q==
X-Gm-Message-State: AOJu0YwywbhM3uV9zS0Wg9SvPFbMXEJW733HaXJvjWY8hCM+fT7NVZ2X KjpMizr0aRIZk7bCxbhbHU19ORJ3Gbe8eZ2nfQvSMwKGi9TLK4Xwycw1IY1BWuwUQKEy+7XxPt3 jyxTHf/d4/JnXfswCnacB7+uVY1lflXWJNVg=
X-Google-Smtp-Source: AGHT+IHKfs2lozKOmj6xdZxd3pltm/4cW9xL4K3WuPhBWF2OkynkeDw80kTmZ76bDw28FKfvAgInVAmkdH4GfVDXK/w=
X-Received: by 2002:a17:907:970c:b0:a59:b590:5d71 with SMTP id a640c23a62f3a-a6f47c42226mr99077766b.0.1718189083462; Wed, 12 Jun 2024 03:44:43 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgSEt8z3zsLC6U5eqhMSHbn-+7uywZCQUrUpJ9zQwQeShQ@mail.gmail.com> <SJ0PR02MB74398B6C188C5D374B86F81BB7C72@SJ0PR02MB7439.namprd02.prod.outlook.com> <CAL02cgTMSgi-boxZAjkFc8_JrEJrGzk=LH5BnS2Earx-Ji2j9A@mail.gmail.com> <SJ0PR02MB74398BDC255CC7D533FC3149B7C72@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB74398BDC255CC7D533FC3149B7C72@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Wed, 12 Jun 2024 06:44:31 -0400
Message-ID: <CAKoiRubA5Jan_JTq2rPx+WtL6tpMUNUjU9OvVB+cmbayjbu7Hw@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Content-Type: multipart/alternative; boundary="000000000000fa1338061aaf1178"
Message-ID-Hash: SAQJJ2MFJ6XKSTK5R4DSG6BQ6E6NGSN3
X-Message-ID-Hash: SAQJJ2MFJ6XKSTK5R4DSG6BQ6E6NGSN3
X-MailFrom: rohan.mahy@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pmWxRb-R0CCqaCKhrxEibb9vdsQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Mike, "There is no code that understands X.509 certificates in most applications that use TLS". As Waston said, many platforms and libraries provide a way to verify a certificate outside of TLS. However, the whole point of PIKA is that it is an additional *choice* for people who *cannot* use TLS because the issuer may be offline at verification time. Let's look at your statement under two cases: those applications that need offline verification, and those that don't. 1) If your application doesn't need offline verification, it doesn't need to implement PIKA and therefore doesn't need an X.509 verification library. *Conclusion*: No change, no negative implications. Continue doing issuer verification using TLS as today. 2) If your application requires offline verification, it isn't going to be able to open up a TLS connection to an offline issuer .well-known URL as you proposed. The options are to use an existing X.509 verification API built into a number of platforms and crypto libraries, or to include one in your application. At a previous employer we had to do X.509 validation in a web client and were able to find a small, suitable library for this purpose (the certval Rust crate) and could have optionally included the Mozilla root certs (webpki-roots crate). *Conclusion*: If you need it, you can find off-the-shelf (or may already have) the libraries you need to implement this in your application. The change in the JWT validation code looks trivial. Thanks, -rohan On Mon, Jun 10, 2024 at 11:32 PM Michael Jones <michael_b_jones@hotmail.com> wrote: > We all know that TLS certificates are handled by platform layers used by > applications and not the applications themselves. There is no code that > understands X.509 certificates in most applications that use TLS. They are > not equivalent in complexity. > > > > The draft would require adding code directly understanding the structure > and fields of X.509 to applications using it. Eliminate that, and I’ll > support adoption. > > > > -- Mike > > > > *From:* Richard Barnes <rlb@ipv.sx> > *Sent:* Monday, June 10, 2024 8:18 PM > *To:* Michael Jones <michael_b_jones@hotmail.com> > *Cc:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; oauth <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Re: Call for adoption - PIKA > > > > The applications we're talking about are **already** doing X.509 when they > make HTTPS connections. It's not a new requirement. The only thing we're > doing is using the certificate for JWT instead of HTTPS. > > > > --RLB > > > > On Mon, Jun 10, 2024 at 11:15 PM Michael Jones < > michael_b_jones@hotmail.com> wrote: > > As both I and Giuseppe pointed out, the requirement for applications to > use and understand X.509 certificates means that the draft is way beyond > the minimum complexity needed. > > > > Eliminate application-level X.509 (which is an anachronism that OAuth and > JOSE have moved away from), and I’ll support adoption of the next draft. > > > > -- Mike > > > > *From:* Richard Barnes <rlb@ipv.sx> > *Sent:* Monday, June 10, 2024 8:11 PM > *To:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > *Cc:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] Re: Call for adoption - PIKA > > > > In case it's not clear from other messages in this thread: I think this > draft should be adopted. It solves several pressing use cases, with the > minimal amount of complexity needed. > > > > --Richard > > > > On Mon, Jun 10, 2024 at 7:47 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > > All, > > This is an official call for adoption for the *Proof of Issuer Key > Authority (PIKA)* draft: > > https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/ > > > Please, reply *on the mailing list* and let us know if you are in favor > or against adopting this draft as WG document, by *June 24th*. > > Regards, > Rifaat & Hannes > > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Call for adoption - PIKA Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Kristina Yasuda
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Joseph Salowey
- [OAUTH-WG] Re: Call for adoption - PIKA Ethan Heilman
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Pieter Kasselman
- [OAUTH-WG] Re: Call for adoption - PIKA James Carnegie
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA John Bradley