Re: [OAUTH-WG] TAuth
Stevie Graham <sg@teller.io> Tue, 22 November 2016 19:14 UTC
Return-Path: <sg@teller.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7F612956B for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 11:14:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUIKBin3Jadp for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 11:14:29 -0800 (PST)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530AA129B46 for <OAuth@ietf.org>; Tue, 22 Nov 2016 11:14:29 -0800 (PST)
Received: from mfilter28-d.gandi.net (mfilter28-d.gandi.net [217.70.178.159]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id BA4EA41C089; Tue, 22 Nov 2016 20:14:27 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter28-d.gandi.net
Received: from relay5-d.mail.gandi.net ([IPv6:::ffff:217.70.183.197]) by mfilter28-d.gandi.net (mfilter28-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id sV3lW5Bn8FAa; Tue, 22 Nov 2016 20:14:26 +0100 (CET)
X-Originating-IP: 109.144.223.24
Received: from [10.151.231.226] (unknown [109.144.223.24]) (Authenticated sender: sg@teller.io) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 0F42741C091; Tue, 22 Nov 2016 20:14:24 +0100 (CET)
From: Stevie Graham <sg@teller.io>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9726C3BE-F373-4EC1-9F02-7A69907A6190"
Message-Id: <447103B3-BEEC-4913-AFB2-6F0A19AD77E9@teller.io>
Date: Tue, 22 Nov 2016 19:14:23 +0000
To: dick.hardt@gmail.com, jricher@mit.edu, daru.tk@gmail.com, brockallen@gmail.com, OAuth@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tEpSrXJE07VlkLTbs3Z3vLXrxgc>
X-Mailman-Approved-At: Wed, 23 Nov 2016 07:12:38 -0800
Subject: Re: [OAUTH-WG] TAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 19:15:22 -0000
Hi, Coming across this thread late. I’m the Author of the TAuth post. > What I don't understand is that he's saying people disable TLS checks so he's going to solve it with mutual TLS? It’s simple. Mutual TLS enables service providers to assert the peers are properly authenticated and enforce this as a policy. This won’t stop an incompetent developer disabling peer verification but it will stop that developer using the service if they do. > The reason an OAuth 2.0 server does not authenticate _public_ clients is because, by definition, a public client cannot keep its client secret confidential and so client authentication is almost meaningless. <snip> but they don't recognize that their insistence relies on the assumption that a secret key embedded in a client application can be kept confidential. This is incorrect. Modern mobile clients are capable of keeping a secret confidential, e.g. the Secure Enclave Processor on modern iOS devices and the Android analogues. The SEP can generate key material and use it to encrypt and sign arbitrary data. Key material is generated within the SEP and cannot be exfiltrated. To me this is the definition of being able to protect its own secrets. The TAuth bearer token analogue is not sensitive at all and cannot be used without the corresponding key material. > Does adding TOKBIND resolve the issues? Feel free to correct me here. I wasn’t that familiar with token binding but after reading the draft IMO it’s inferior to TAuth because it binds tokens to the connection. This necessitates refresh tokens, which I find an impediment to developer experience. TAuth binds tokens to the identity (the cert and pkey) thus can be reused again and again across TLS sessions. Token binding also provides no cryptographic guarantees that the peers are verified and that the connection is private. Best Stevie Graham Teller - https://teller.io/ <https://teller.io/> @stevegraham @tellerapi
- [OAUTH-WG] TAuth Dick Hardt
- Re: [OAUTH-WG] TAuth Brock Allen
- Re: [OAUTH-WG] TAuth Justin Richer
- Re: [OAUTH-WG] TAuth Dick Hardt
- Re: [OAUTH-WG] TAuth Takahiko Kawasaki
- Re: [OAUTH-WG] TAuth Stevie Graham
- Re: [OAUTH-WG] TAuth Justin Richer