Re: [OAUTH-WG] Signed JWK Sets
Orie Steele <orie@transmute.industries> Wed, 20 March 2024 00:22 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC01FC151082 for <oauth@ietfa.amsl.com>; Tue, 19 Mar 2024 17:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLNVInV_gk0x for <oauth@ietfa.amsl.com>; Tue, 19 Mar 2024 17:22:17 -0700 (PDT)
Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F31F0C151075 for <oauth@ietf.org>; Tue, 19 Mar 2024 17:22:16 -0700 (PDT)
Received: by mail-pj1-x102c.google.com with SMTP id 98e67ed59e1d1-29f819d1651so2834730a91.3 for <oauth@ietf.org>; Tue, 19 Mar 2024 17:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1710894136; x=1711498936; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=t1OKaASklMlopTNFJOPdMHNj+uBb9lnithWYeEFe+c4=; b=ZopQO1QpJACHoBAA9dsvJXrycmeJCL7uZL+cd0OWX9DcIJ+XuasFCLOVfqitz/J6et x2MkQAWIHo3DFlzhD7MwzG+1P5Gb/qDE6j96wmD5IOoQlo5voqNS+hRDC1cwUDLu7Nh4 yIBboddD4mjkriDfJ37wLRJ4s+qhMY0DEgDVZkgphy5io94AHX5sD0sJGwX/wSMThIod viYBNSmhp7WE8tlclDluQiX5I7FVDFhtxiXpIzG4r//k4midOwastJHfWVfJPCyrmluf syW/WKQ0408xzRaYQgCt/vCWKzXEXuFwsFhLWKQH0uxVF+3GcPbELMDP6qz3kbblOTkA RYXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710894136; x=1711498936; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=t1OKaASklMlopTNFJOPdMHNj+uBb9lnithWYeEFe+c4=; b=LuE4rKlmc4WluRW4Oz2pPuHH87CjaV8lD+VNCizjt1T7CnxR8wZWV45EA9nB8Ol3yr Y4yd2UWtJ+8iWFCRrszJcxpqjAdJb8D/D3QScxUy7utqXIeuAr+dCsmy3xr7eScOW4ca e/w5ktGCa1kB0c6NmYIUeG1yH9NMu9Bw9Y2ooBS1biexVy/4vuSSShzTCN4EQW7l2oNV Ij5r37DXoZn4bI9QCb8QW2KfdB8PTWOyGv/a/lE5oRhwS52Jh1cRwV+aQ5pE5PFrggoC H7104M39NvQMyjDijakOdwSeyMXLC/MRM2t7mMtrH2pfRzCXteS+7z2cZ1vcq85Tc9Ta p/HA==
X-Forwarded-Encrypted: i=1; AJvYcCXqQtNKKSsrj0ZR3MrTOUgxKOuJ7FkCnsir/orpeVzQnwx2HHsu673/qkdv2urKsq6Y9PpWytiiXzbWaPy5vw==
X-Gm-Message-State: AOJu0Yx21l7ADoJXeQpkrJZN83ia9gTBAh2zgVauttVMt3NJ5D7+MnLq VnhqfJt6ZmNH9uvEa+BLiKax2srp2ovwQApfaMYOO2PtnbB0fcz2E35yz0xx2Mi3LIDWiInEQUY 809TKEGBUxhhuZDlFwQoyO/5glPunbltpSGIB/Q+3vogP7UUMCey8tw==
X-Google-Smtp-Source: AGHT+IHcosQdDyWh3JTsLcpevGDeBhhMqIbOyCcZ2cQ6dcpLQhVz6asjuEBKG0pokRlfJoQA+YX5o3qOviOyffhpy0A=
X-Received: by 2002:a17:90a:5d89:b0:29f:77ab:b982 with SMTP id t9-20020a17090a5d8900b0029f77abb982mr622533pji.47.1710894136382; Tue, 19 Mar 2024 17:22:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgSANrR=nys3RXDOYJPibLkv25X8Okq4dhL0Dpfi_ZSS_A@mail.gmail.com> <CACsn0cm0XdfFEjspPuBaHiv5AD0PNpCCRifo4OOC+F+XC3rAmg@mail.gmail.com> <CAL02cgQVWQfQ2wnpHZ2=OL5NMJTMf_Bxv+jifBFzu0WK+wYqrg@mail.gmail.com> <CACsn0cmM3otJ-P0O7dVNtNzc8sjJUxzOfzz+nAgmzqXtzdXb-A@mail.gmail.com> <CAOgPGoDtaC=sFqj8O7ygvFziEMS2Zeigxy5aQSRPXPthd1kqYA@mail.gmail.com>
In-Reply-To: <CAOgPGoDtaC=sFqj8O7ygvFziEMS2Zeigxy5aQSRPXPthd1kqYA@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 20 Mar 2024 10:22:03 +1000
Message-ID: <CAN8C-_LJ21JM+wAKApf342T6SSOqaJtRpkhGVjhOEwnPGwPUKg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: Watson Ladd <watsonbladd@gmail.com>, Sharon Goldberg <goldbe@bastionzero.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f727206140c952c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sVfV69tlYwn3Mmoa69kgu8or6mg>
Subject: Re: [OAUTH-WG] Signed JWK Sets
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 00:22:21 -0000
In SPICE and SCITT, we have discussed similar proposals for "identity documents", which are essentially a signed collection of keys and attributes. I think a generic building block that works for JOSE and COSE would be great. I don't think OAuth is the right place to develop general purpose identity credentials, but it is a great place to develop profiles of identity credentials that are specific to authorization. Tldr, I'm supportive of the work, and I'd like to see a COSE format that we could use in SCITT. OS On Wed, Mar 20, 2024, 9:24 AM Joseph Salowey <joe@salowey.net> wrote: > I think Signed JWK sets are useful and would like to see them used in more > use cases so separating out the specifications seems like a good idea. We > will have to be careful specify what security and deployment properties you > are trying to achieve in different use cases. > > On Tue, Mar 19, 2024 at 11:36 AM Watson Ladd <watsonbladd@gmail.com> > wrote: > >> On Sun, Mar 17, 2024 at 5:32 PM Richard Barnes <rlb@ipv.sx> wrote: >> > >> > Hi Watson, >> > >> > I appreciate the concerns with regard to re-using Web PKI certs for >> cases such as these. Care is required, but I think there is a path here. >> > >> > 1. Clearly there are cross-protocol concerns. I expect that most usage >> here in reality would be based on ECDSA / EdDSA, not RSA, which helps. I >> would be comfortable with security considerations recommending that a key >> pair / certificate used for signing these things be used for no other >> purpose. >> > >> > > [Joe] I think there may also be a consideration in some environments that > problems could arise if keys not intended for signing JWK sets could be > used to sign JWK sets. > > >> > 2. Validity times are definitely a challenge for the container signing >> use case, but from the conversations I've had with that community, they are >> taking an orthogonal approach. As I tried to sketch in the document, they >> are establishing authorities that will vouch that a signed thing existed at >> a given time, so that a relying party can safely rewind their clock and >> validate as if it were that time. See, e.g., SigStore < >> https://www.sigstore.dev/>, which has roughly this shape if you squint >> right. >> >> That should work out: might want a security considerations saying this. >> >> > >> > 3. I don't think there's actually any disconnect between HTTPS >> authentication and proof of authority. The Web PKI is about authenticating >> domain names, which is what both use cases require. >> >> Only with certain validation methods. Others like agreed upon change >> to site content have a narrower scope and the BRs reflect this >> subtlety. To be honest you're probably safe and I am not the expert >> here. >> > > [Joe] I think this can work and be useful in many cases, but there may be > some subtleties here that should be considered. All the more reason to > document this. > > >> Sincerely, >> Watson >> >> -- >> Astra mortemque praestare gradatim >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] Signed JWK Sets John Zila
- [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Michael Jones
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Watson Ladd
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Orie Steele
- Re: [OAUTH-WG] Signed JWK Sets Richard Barnes
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Ethan Heilman
- Re: [OAUTH-WG] Signed JWK Sets Joseph Salowey
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Neil Madden
- Re: [OAUTH-WG] Signed JWK Sets Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Signed JWK Sets James Carnegie