Re: [OAUTH-WG] PoP Key Distribution
Mike Jones <Michael.Jones@microsoft.com> Thu, 05 July 2018 15:02 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FCB130DE5 for <oauth@ietfa.amsl.com>; Thu, 5 Jul 2018 08:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUnrY4WzJ0su for <oauth@ietfa.amsl.com>; Thu, 5 Jul 2018 08:02:31 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640091.outbound.protection.outlook.com [40.107.64.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAEB6130E84 for <oauth@ietf.org>; Thu, 5 Jul 2018 08:02:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eBhhyf9xdv7SfvytW5d3HIjsU5N1TusxBfAa2BzEkuE=; b=CHSZsEBtasLRGwwRCKQxE5xv5YRazDR3Dd532/Wdbs7l+qFwGK5UtddilPu0cBQc2ka7JnzE0oboxS8rJ0CmwmjtgMMG1LXSnC+S8xvX94ihKmIaXkOtblNYMthP//XErWgzv415b16zpFdNzvdL7JbDqeAT/GpvZxKSwSb2cuY=
Received: from MW2PR00MB0298.namprd00.prod.outlook.com (52.132.148.29) by MW2PR00MB0378.namprd00.prod.outlook.com (52.132.148.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.967.0; Thu, 5 Jul 2018 15:02:29 +0000
Received: from MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::9c24:5ebc:cf1a:dc37]) by MW2PR00MB0298.namprd00.prod.outlook.com ([fe80::9c24:5ebc:cf1a:dc37%6]) with mapi id 15.20.0971.000; Thu, 5 Jul 2018 15:02:29 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] PoP Key Distribution
Thread-Index: AdQTBj47ZlOcOW2pSHSpIBiWadk6FgAA3/bgABXsJYAAQ7FFYA==
Date: Thu, 05 Jul 2018 15:02:29 +0000
Message-ID: <MW2PR00MB0298E13AF13CA7094E22383CF5400@MW2PR00MB0298.namprd00.prod.outlook.com>
References: <VI1PR0801MB211213D11E7820FD31218663FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com> <DM5PR00MB029359EBBE81D3899BEA34FBF5420@DM5PR00MB0293.namprd00.prod.outlook.com> <67ab6c51-4299-b433-01f0-cd023574175a@ri.se>
In-Reply-To: <67ab6c51-4299-b433-01f0-cd023574175a@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.80.188]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MW2PR00MB0378; 6:gywdvnl8qmrverDAJp51BuXS8onZhG5M6YYjf/tLlTRWOE/xgAxB8m5050LRmeql2MeZZQiTXf6Mwm7u0ddhqSXhl06aajgE+OX3dT2m+vLwwre+I2lukEUE3ArAWsHBGB0Edb5GKLFk+/s8QVTERFYCY/W+9WhJuzzHLPh51lxRR41tGvwY2WgotECFMqlMdNpxDdbm3Q4/AkuoWEyjlksedvNN2/PLRxGOK0/OV5D3wYqu3+JKsfn2z+1iRVdtwjBl+LG04ihOmFOEvoS9kWHeKudkhsFxoUb9XIYzRvoN9kp4iF9ogOQ+CZp0PiqdogQ9GZTC4hlxYj7LPXP+biM6wc2ejvSN4SS1uulegmRELP/1tyDl2JbmQNN1DwIWNz5ZVW4y8E8HUjz7QyGDS/pSGWvEkeWUKGV3OCCTC0Pta7XnmyzaL2daP08q4iiZq5cmrHcEnpQCVuSeO5cLyQ==; 5:oIFGZuBb9Qt/ITKv/bgwm7zxtc280DYSmG9nnBE0YgoIguIfuCgqrPzMIgq/M5Jm17azHhblVEQgBmJIaV9cseurGEhMpWiwaRgAl2KYXP6pXGyp4e6z7MVUtYShzVt23DYk6Ko0oVOJUjWTdhzJQzF/xToUh4TZ023kNnJXGkA=; 7:p4XpFWbv+K52KhZFeDW2m1aRAULJdo9EgqUCH7XJPqZMwyc0fhJ7xC7uoENwfyoW9EaB6Tm0FTYHhTMcrs+uPGuoXIhuHE2jPgFzBcT+C3SSOGEG1iuzaRm9kof1vEhNuzbKh0GSVgkBKQOip3H6y0ikFfuMPL94Fa9/YYUiGwcfJVY4MtjvnundqBLrcuzmeUPBRA7k+FKJA5WgniqI7Ddb98GU4biR+P5coO/+Uswt+R9Vi5R4ZJrUL5VA7RQw
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 091e92b6-1168-43cc-6cd9-08d5e28853ff
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7193020); SRVR:MW2PR00MB0378;
x-ms-traffictypediagnostic: MW2PR00MB0378:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-prvs: <MW2PR00MB03787608E8FCEC0F4BADE74CF5400@MW2PR00MB0378.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027023009)(20171027022009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(93006095)(93001095)(3231280)(2018427008)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:MW2PR00MB0378; BCL:0; PCL:0; RULEID:; SRVR:MW2PR00MB0378;
x-forefront-prvs: 0724FCD4CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(136003)(346002)(376002)(366004)(199004)(189003)(13464003)(7696005)(186003)(99286004)(53546011)(2900100001)(26005)(6506007)(8676002)(76176011)(6246003)(9686003)(55016002)(5660300001)(6436002)(446003)(486006)(74316002)(7736002)(5250100002)(102836004)(476003)(11346002)(2501003)(316002)(6306002)(86362001)(81166006)(22452003)(86612001)(305945005)(14444005)(110136005)(478600001)(8990500004)(33656002)(25786009)(966005)(2906002)(66066001)(72206003)(81156014)(10090500001)(8936002)(68736007)(14454004)(10290500003)(53936002)(3846002)(106356001)(229853002)(6116002)(105586002)(97736004)(256004); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR00MB0378; H:MW2PR00MB0298.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0LUsbHWvAh63AiH6mMw8EC/XpA+OfzAgxYQ+qUBjQ1xsJHoeyCmV274Ldk852Ydo07v30nSzA8hQF87MfoXtND3E2+CcKaysNlEeq9uLOQEq06TEtLjeaunH3qxCoNF+lC7lZmeQ6+0BJ3hO8Y3oT+XWw1g6b5kKBHI1xtkKyLXdtfYWurEvLaTW4Pnkxbk3QqIm/bWB1Tz622S5gdc00urkvuevE4Ij0ZOhQnF4rdW5KwaLVymYEBcpXUzGz/YVYBf9vYGunLIcBBss1sr7/YB6VBvkD9X/GVTuD09fEPEATWMok+Q0vzQG6TOgBhvoCJzYPj4eb+EJz/mCmuQK4ak54RamJA4WRbsSigVCcvs=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 091e92b6-1168-43cc-6cd9-08d5e28853ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2018 15:02:29.4320 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR00MB0378
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1_e8AsEvtlYwQ634Y70_rGJVZ3Q>
Subject: Re: [OAUTH-WG] PoP Key Distribution
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 15:02:35 -0000
Hi Ludwig. You're right that AS Metadata doesn't cover RS Metadata. I stand corrected on that point. There was once an OAuth Resource Metadata draft but the working group didn't have immediate use cases for it and so it was allowed to expire. Work on it can resume, if it would be useful. I'm glad that "profile" is now optional in ACE. I still believe that dynamic configurations where clients might use multiple OAuth profiles are a corner case and that purpose-built clients that have the profile information baked into the code will be the norm (particularly in constrained environments). I'm fine with an independent OAuth specification being created that defines a profile identifier but I believe that conflating this with OAuth PoP Key Distribution would be a mistake. -- Mike -----Original Message----- From: OAuth <oauth-bounces@ietf.org> On Behalf Of Ludwig Seitz Sent: Tuesday, July 3, 2018 11:37 PM To: oauth@ietf.org Subject: Re: [OAUTH-WG] PoP Key Distribution On 2018-07-03 22:10, Mike Jones wrote: > > I believe that the ACE "profile" parameter is typically unnecessary > and not in the spirit of normal OAuth. Configuration information > between OAuth participants is typically configured out of band and/or > retrieved from the AS Discovery document (per the newly minted RFC > 8414 <https://tools.ietf.org/html/rfc8414>). There's no need to > dynamically exchange a profile identifier when this is essentially > always known in advance. We should not include "profile". For that > matter, ACE should delete it as well, as it certainly isn't > appropriate in constrained environments. > I strongly disagree with this statement. First of all let me correct a misconception you seem to have: RFC 8414 is about AS metadata, while "profile" is RS metadata, so unless I've overlooked something, RFC 8414 is not applicable. The "profile" parameter tells a client which communication security method to use with the RS (e.g. TLS) and how to perform the proof-of-possession of a token towards an RS (e.g. TLS client authentication). When you take the work on proof-of-possession into account, that feels very much in the spirit of OAuth. Second: the "profile" parameter is optional, so if it is already known because it was configured out of band or discovered somehow you just don't send it. Finally: Profile is intended for use cases were mobile clients and RS dynamically join and leave a network, so that pre-configuring clients with metadata about the RS is difficult. Do you have a better idea how to solve these cases? /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE SICS Phone +46(0)70-349 92 51 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- Re: [OAUTH-WG] PoP Key Distribution Mike Jones
- [OAUTH-WG] PoP Key Distribution Hannes Tschofenig
- Re: [OAUTH-WG] PoP Key Distribution Ludwig Seitz
- Re: [OAUTH-WG] PoP Key Distribution Ludwig Seitz
- Re: [OAUTH-WG] PoP Key Distribution Benjamin Kaduk
- Re: [OAUTH-WG] PoP Key Distribution Justin Richer