[OAUTH-WG] Re: Call for adoption

[OAUTH-WG] Re: Call for adoption - PIKA

Michael Jones <michael_b_jones@hotmail.com> Mon, 10 June 2024 16:13 UTC

From: Michael Jones <michael_b_jones@hotmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption - PIKA
Thread-Index: AQHauywKbt6d6pM1xkqLH3S4zLKtLbHBJqyQ
Date: Mon, 10 Jun 2024 16:13:35 +0000
Message-ID: <SJ0PR02MB743941C99DEAA144AC6298D5B7C62@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com>
In-Reply-To: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: B0kpUSSr3Ndb13to+2332+DAkZGhDtxxKE8abA1oQIrciWiGutVQLtdmYqZv9d2oSEQ6z1pK3Qgr63TuhyCvE/S0tpkQTCFSU/v6UAgq97n67uTQlT70sg6FUQBo1QIp1wIbuq2Ywl0qHAvV8eKjwfGMyfj12GF2thocyWZrhp0fzaaWe9BH3AW7y42Hx5AoUOxnz8Spv+ukGKaR1VfXrxZCiHsqGXbp/yTyfL3qUXr55B52M2zTFQ3M79fdzmW5/aqZhKZF9Z94Focf2RfaxLAiZrMDhmNBezQTsiA5U4xmI7giWmPEryN57wt6+YR6b5vIf48GgdVZsm2x2nocrh9R7gIOX26OPbMqErCl2RM38fbvbXGvRybifD8YHaSPMlsbA48HJPy7ebh/lCgLpjr8qwL0l0Jk1q4ulSfnzyUognKFSOGAcCjeITwPkwpkLEJzmORhC7wnMnOah2DchqwHd6Igs+jCnuNsiQ5qThhzPKswPUwnbVF1oqrcWigW02X1RQUV0cfnRg+w4tglXIFwLrTho1XmQH3lHVUvJMW7jNLzzMb55aUhLaCXARzu+DwxqxbjzLrQ4sHE3OU0HxaZyQDUC7BNKwwIdpGyJ6L2XEPuv7Gn+4uqs/LYJOS741u4hW28eO6mFz+1vOUCsWOKOXRYzCnhS2RgOJG5Abcek4n2qW9CHihbgCCIUjWmztTD4k2V8jMJCtMLEt0rjbM2JoPEILYgVAJZR32o7OsJ6t7EjF3X+if0vG6suVSv/CE+gevp/CDCNQfkM5zC4QS/aQqKO5lTIRqFdtExR8060pAdaV/RvT1O6qO+Vmx6MuF1fkFumT2UopKq2BUpwB3BCMXPHuUsQ5KbXf2ruUyWw+aihHd3Wooj1ATLjNlGYxkTr1MPfVy7pT/CVGmkdm0iMvafLXIMQKoBASjylq2uYJa+PrOdQ0DGCy8oN9URuqic77qROjZEr/nApbDDxostZ5XrxryCmaSnRTE2CWHIJLT8D3iTw9BzwZcCaNioeKr5QnrxCBaxrxpJljDk2BJK2sl/1LEYXiWcygFMbKb60xrZscLdehw1RQpiax5phZS/cDoQyEt7K4WTYvBfMdjk3Vns41CjoE1pz5p6kRTOdDBdP+MLKN6TfxjhJx3PHPxVANMU9z4Xjatb3ftmRdDLFxLKvQoCLmxnS1DpcCxKI2HQ97zHRrFbRkQqs/0yN3vKdKgGPxG8UGWJCFMlbrqRxaQsVOEv45TMaXsJptSc6lKaah2X19IOWY8x2fcqoAjwz3l8yy6NFq1DWdT73WdNfYPUJjCehptaEZrk/GNIqd++I93hasTi4Q7LRda3
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB743941C99DEAA144AC6298D5B7C62SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c149614-1306-4b29-b05c-08dc89684814
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2024 16:13:35.8302 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR02MB8670
Message-ID-Hash: CG5RQGSWLOLACXRFC5DLUCZUT3V2RWVV
X-Message-ID-Hash: CG5RQGSWLOLACXRFC5DLUCZUT3V2RWVV
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rPPI9E8fwN1NiMM1TkaQUfFYEDI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

While I'm generally supportive of the goals of this draft, I have issues with the mechanisms proposed.  Therefore, I believe that more working group discussion is needed before adoption.

If I were to do something along these lines, I would not use "x5c".  Other than for TLS certificates, the OAuth and JOSE specs generally steer clear of dependence upon X.509 certificates.  Especially for a spec focused on JWK Sets, it's odd to require an X.509 certificate to secure them.  Instead, I'd do so by validating the signature made by the issuer.

Also, the spec says:
   *  The JOSE Header of the PIKA MUST contain an x5c field.  The
      contents of this field MUST represent a certificate chain that
      authenticates the domain name in the iss field.  The domain name
      MUST appear as a dNSName entry in the subjectAltName extension of
      the end-entity certificate.

This talks about the domain name of the issuer, but not the path within the issuer.  In multi-tenant systems, issuers typically include path components.  When the issuer is https://example.com/tenant/123, what would the DNSName entry be?  The spec doesn't say.

Conclusion: Not ready for adoption

                                                                -- Mike

From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Sent: Monday, June 10, 2024 4:47 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Call for adoption - PIKA

All,
This is an official call for adoption for the Proof of Issuer Key Authority (PIKA) draft:
https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by June 24th.

Regards,
 Rifaat & Hannes

[OAUTH-WG] Call for adoption - PIKA Rifaat Shekh-Yusef
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
[OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
[OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
[OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
[OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
[OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
[OAUTH-WG] Re: Call for adoption - PIKA Kristina Yasuda
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
[OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
[OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
[OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
[OAUTH-WG] Re: Call for adoption - PIKA Joseph Salowey
[OAUTH-WG] Re: Call for adoption - PIKA Ethan Heilman
[OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
[OAUTH-WG] Re: Call for adoption - PIKA Pieter Kasselman
[OAUTH-WG] Re: Call for adoption - PIKA James Carnegie
[OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
[OAUTH-WG] Re: Call for adoption - PIKA John Bradley