Re: [OAUTH-WG] [EXT] Re: DPoP followup III: client auth
Michael A Peck <mpeck@mitre.org> Fri, 04 December 2020 15:21 UTC
Return-Path: <mpeck@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CDD83A0D94 for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 07:21:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHMFux61CCi8 for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 07:21:37 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CB363A0D8C for <oauth@ietf.org>; Fri, 4 Dec 2020 07:21:36 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 6DDF1332047; Fri, 4 Dec 2020 10:21:34 -0500 (EST)
Received: from smtprhbv1.mitre.org (unknown [129.83.19.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpvbsrv1.mitre.org (Postfix) with ESMTPS id 0D380332038; Fri, 4 Dec 2020 10:21:34 -0500 (EST)
Received: from mbfesmtp-mgt.mitre.org (mbfesmtp-in.mitre.org [198.49.146.235]) by smtprhbv1.mitre.org (Postfix) with ESMTP id EDBA480C07E; Fri, 4 Dec 2020 10:21:33 -0500 (EST)
Received: by mbfesmtp-mgt.mitre.org (Postfix, from userid 600) id 4Cnbyj6pZ5zlYT; Fri, 4 Dec 2020 15:21:27 +0000 (UTC)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02lp2104.outbound.protection.outlook.com [104.47.65.104]) by mbfesmtp-mgt.mitre.org (Postfix) with ESMTPS id 4CnbyX6Kd6z3D4fB; Fri, 4 Dec 2020 15:21:24 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fmfbUm9IaiNwRSW0f0NLMxBT0NU7AW+hyvpfyU0iEjYizom6qXoy7cn1pniq9dvhnVkqpanKMrIw2A8PaRFKVnV0ogvmhkpcU9T077uDGbsjZtoL+Gv/OE5DfjRPkL//j84U3bJBwrllhr9GyvFIslt504qyEEPpeLJoySSosPPKldq5eE8l2kJrn9mcG2u84jk87yWgsHuOCsHfyN4uaqe3F6Ulbrn07a509Km0TzCt8hlxQoz+p/81v5OxouW/8KBeJIfrLeU2dQe1FQz/qPrJd6KWD6PW0GQIyWthjhTYuhuOICkUrwNO0a6yz1STZrEvQwxkzY28BXyVrqf8AQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vCu8qxBXAz0abkRIJUK31iECEjPPafGVFjaIXsF/Wgw=; b=YY964iBhC2TTAFArbfyNHI/gzmSHXBXQvRUwLQoXxF5zYQezoffiNq+MxVmEHuxzE4RkXJOiXhvMMyUJHj5H6iQ4ngjJs44BPuPaeTkLBjRgOLYJ3GzMIU2gZM/Kd9Bz5QHBgv2YQzgnuX2LDQBkwZtXEGVOvrLDi9tM4bM47bIwXqzTtnj7SCm0BJwopQcgmV6kfot/ZYu53SmPSEzqY7SEdg+PySvS/J8LvdPc/Bjssntsenae+6s29yUIaU6IY01bFYrNW8FUcI1zCDg/Lk2kL+CJTI7xr+kr5taRy+RbIKHTNuw0YtkC+KomMscyjemBWSFQ3ZG3MLmWAzOatg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from SA9PR09MB5727.namprd09.prod.outlook.com (2603:10b6:806:1d::9) by SA0PR09MB7434.namprd09.prod.outlook.com (2603:10b6:806:76::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.19; Fri, 4 Dec 2020 15:21:24 +0000
Received: from SA9PR09MB5727.namprd09.prod.outlook.com ([fe80::2112:2e1:2d80:cffd]) by SA9PR09MB5727.namprd09.prod.outlook.com ([fe80::2112:2e1:2d80:cffd%4]) with mapi id 15.20.3611.020; Fri, 4 Dec 2020 15:21:23 +0000
From: Michael A Peck <mpeck@mitre.org>
To: Filip Skokan <panva.ip@gmail.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: oauth <oauth@ietf.org>
Thread-Topic: [EXT] Re: [OAUTH-WG] DPoP followup III: client auth
Thread-Index: AQHWyVmcrFi8a3ShvkmhLyzxd1n2jKnmu7kA
Date: Fri, 04 Dec 2020 15:21:23 +0000
Message-ID: <5F2D6022-CA13-4255-ADC2-78CCC1AED766@mitre.org>
References: <CA+k3eCQjCjbcHxmTFn_Ce1aQ-gn31mAXNp9PGp7d6mXkfyDWPA@mail.gmail.com> <3134_1606988830_5FC8B41D_3134_178_1_CALAqi_-6ovK4otw9JW+c5H3qjnFrUqbwn-AoyGnA_EHfCSgQNw@mail.gmail.com>
In-Reply-To: <3134_1606988830_5FC8B41D_3134_178_1_CALAqi_-6ovK4otw9JW+c5H3qjnFrUqbwn-AoyGnA_EHfCSgQNw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=mitre.org;
x-originating-ip: [192.80.55.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ffa5527c-fb5e-424d-a0b8-08d8986842b1
x-ms-traffictypediagnostic: SA0PR09MB7434:
x-microsoft-antispam-prvs: <SA0PR09MB74345082B15B663F854563CBB9F10@SA0PR09MB7434.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AahKhyu6xxT2H90hix7lbOJovpdDMU9HJlGM4EFTnq734iweudQz6eL3WNbWUQKUj043DEXW22gU7YRaZuj2KQnGEYm+uCnfZlPwKNYAGle4/qXdU2AsuGnLIRu7sqhorDFvADsWPpKryXzJvJrojzjsZOAUeDmlHiaixJiPO+OrxwxXdF67RfqqCx49VN5EFNrR5sY1Gu2tz31d1qgTJtOE9/w4AXDByamh+PtHGRz6ALK7jQiEXeviVMjIGmqXD6m9pLzfMZEVWxIwrncDS9IpninaxfelOhreJ8aAE5X6BjyaYdkT1mE9QyYJEfXaPYYY4XaG3DrSZsK6sFGhih9thr0+NzV4TZvmedfs/6T0n4K0r15xwi9E4JD/uuywe803Cwm+X4bOJd0WJLAFOxUOyieLdo1UaKnmJO5SIjZirzwsqVZyBnkJjx3NgsKA8e6H8EQSNcI3g3XwD+KlBw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA9PR09MB5727.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(396003)(376002)(366004)(39860400002)(136003)(9326002)(186003)(6486002)(6506007)(2906002)(53546011)(4326008)(478600001)(91956017)(71200400001)(2616005)(966005)(99936003)(86362001)(36756003)(64756008)(8936002)(66556008)(76116006)(110136005)(66616009)(66476007)(66446008)(316002)(8676002)(33656002)(66946007)(6512007)(83380400001)(166002)(5660300002)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: UXtcH9XO93HsW4YuNV8gYUA+aP2TijxyPZ3FnQ5SQS3yBSfZGbGcxWrYvHtl3LS+gHIxXfot+8qHimbLmNrHr4JgISE612fsgCnIdRjexiKWOthc615/8gRjldpi1uUuqsRwLcRYe9bEq35kLHSHgqCp9BuMmpk+e2iahQ8o5s5RHtmutxe2ytsftS4oEN/6iQupMuoTuLFOQvHtd2osnxbWIdUWB69xgea22DKzFwX6sjvcDgWXWVIQByqLmhPfefgYmNeg1Pi6hukZnE0ZxBPBaCH8sNcITPSr3kFHRqv+d6NrZSGI5UUGZawCDqoQSmJo98j276fRz9TD4v8RGpU0nm7bvko4yXe0FTn6OYfndfM3t9MZARKGH/1t7FCYQeYpqRPDwCepDTp/IFnUN6uDEcFzIWh4+j3V+8+tQgNalkeZIvzUpFAKyj9M0d26FbjGkRUVclHXeJTj9mReUNSmG+OddiZmWYxHkyQj9UJ9G1fIsv/xWK56GMmWuZKdSGwBFWkRyM+1kHEpqLpzdeQ4pvsNhLiPSgNClYCnfVlK/vxG/sojOoDM0xDjFMgW6pDfm3TNjuROKVhDyFwDDkDLvvkR4oueFC7LF/nFogZXe/FZFO25RRH39efr6cguttCIScyCI8J5NveziphBpDsmpxdW3VhwHUrGfHtbmCFXjtaVpn+8AakqjS4nGaUJLvsoAuFEe39wYu5neNAbRgofy2LyCXCuqzs4tduqJ3y1DVZ3Ca0Y3JxGsZV5HI8YwKHcyTb7w/z3rl3eI/U1HhqDmZOpKvSU37mjBYp5w1R9tWdusQBHWbylFQLgVT0M/ZNi6ncaHn6zy50/BPeJ+JKrEKs49FAH9i7jqNvH5lSeLZwksdMAB9WZ1Jb6bw6fm36zAUcI1VMF3A9Zbbr0LWQACYYGNlwmC/Ul6Zv7wvAoPGQcK2x7Y2W/VCQqkRl7ZSJPuzBlsel4YJuzo0X517MoLXIk2V3FVxmrE5YOxV4Btrbg4Otri9YcWy7d3oYy
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_5F2D6022CA134255ADC278CCC1AED766mitreorg_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA9PR09MB5727.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ffa5527c-fb5e-424d-a0b8-08d8986842b1
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2020 15:21:23.4897 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Hrle/GOjJF73DeTc3EM1AFmjpaW+mPyqv52XugLXUGCJjc0J4VHh51rTFQe1gE6O
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR09MB7434
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=from:to:cc:subject:date:message-id:references:in-reply-to:content-type:mime-version; s=selector1; bh=vCu8qxBXAz0abkRIJUK31iECEjPPafGVFjaIXsF/Wgw=; b=rVMf4+ls98R7fzlUiljIbnU0kDqPIZzTC0IOF6/VUbMSikUBrS0Ce4pv8IRG8fhd230vcKgCI+ApfIfaVWIg6ge8bGNa+nzVN1bfk/TNHUveVmkBM9QWks0hyZcY8vVRXSO0mT+83MS6eCRjrrScwNqp+otyGOoTqJqfLbj/sQE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/q99vKNrb4GTO4SqIAZKyZJQ_JB4>
Subject: Re: [OAUTH-WG] [EXT] Re: DPoP followup III: client auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 15:21:39 -0000
Hi Brian, I think I lean towards “Shut up and never speak of this again”, but could you clarify some things? I missed the interim meeting discussion on this slide – it looks like DPoP for client authentication would have very similar properties as private_key_jwt, but using DPoP instead? i.e. both use a private key to sign a JWT that authenticates the client. Could you expand a bit on the advantage of using DPoP for both client authentication and sender-constraining the token vs. using private_key_jwt (for client authentication) + DPoP (for sender-constraining the token)? Adding to Filip’s comment, is there just one DPoP proof sent in the token request to cover both client authentication and sender-constraining the token, meaning the same keypair would be used for both DPoP usages? That would go against DPoP’s key rotation guidance, but maybe would be okay if freshness guarantees of the DPoP proof get added? Thanks, Mike From: OAuth <oauth-bounces@ietf.org> on behalf of Filip Skokan <panva.ip@gmail.com> Date: Thursday, December 3, 2020 at 4:49 AM To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> Cc: "oauth@ietf.org" <oauth@ietf.org> Subject: [EXT] Re: [OAUTH-WG] DPoP followup III: client auth 🤫, better not open up the possibility of thinking of DPoP Proof keys as pre-registered (i.e. not "ephemeral"). Best, Filip On Wed, 2 Dec 2020 at 23:30, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org<mailto:40pingidentity.com@dmarc.ietf.org>> wrote: There were a few items discussed somewhat during the recent interim<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth> that I committed to bringing back to the list. The slide below (also available with a few extra spelling errors as slide #19 from the interim presentation<https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>) is the last of them. To summarize, I'm wondering if there's WG interest in working to formalize a client-to-AS authentication mechanism based on DPoP. I think it potentially would be problematic to put into the current document (for a number of reasons) so am preemptively ruling out that option. Thus, basically, I'm asking the WG if there is some/much interest in the idea? In which case I'll find some time (at some point) to write up an I-D for it and bring that back to the group for consideration. Or if I should, as the slide says, "shut up and never speak of this again"? [cid:image001.jpg@01D6CA27.36B78360] CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] DPoP followup III: client auth Brian Campbell
- Re: [OAUTH-WG] DPoP followup III: client auth Filip Skokan
- Re: [OAUTH-WG] DPoP followup III: client auth Neil Madden
- Re: [OAUTH-WG] DPoP followup III: client auth toshio9.ito
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Michael A Peck
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Denis
- Re: [OAUTH-WG] [EXT] Re: DPoP followup III: clien… Brian Campbell
- Re: [OAUTH-WG] DPoP followup III: client auth Brian Campbell