Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
Nat Sakimura <sakimura@gmail.com> Fri, 03 March 2017 03:15 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A9012965E for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 19:15:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbPXUrChYDan for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 19:15:45 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AFDB12711D for <oauth@ietf.org>; Thu, 2 Mar 2017 19:15:45 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id 1so37753103qkl.3 for <oauth@ietf.org>; Thu, 02 Mar 2017 19:15:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/P0bsjZvf9FsvJw/BhT46/EGxoO2JGb8PXUEclqoGhc=; b=N+xEGGBQQoM9IVhkQoV2pjj+rK/hkye6Qd4JxI+V2ZgInE0XGn0diBTxAZmyoMlJLE 06/t0d5Q6QRWymhNaUMNV8TQZgRdttNnU49D+3+UWvnb56EmNuPAy+L3zAaNT/Pt9ExI 88o3Pm0WrwoHZJEhS2YD7d8Uh8OCXmXv1JEVTKD0rQmVMzDBWDPo6+UHasSPUBVKU3Jd 5QGJXnzRHDkEot4xmk89Kg37Dnag109kaUzQBoNOwTsmFUyrfN/uRmNzX4QcKQTFyZCc NeGVIHoV1D5RMSIYaNPrTyi5n7TrdzSdfOAWM69U/hTipOgkb+Ck7+nB9udWN4GPlmWo 89wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/P0bsjZvf9FsvJw/BhT46/EGxoO2JGb8PXUEclqoGhc=; b=MU1mFHvsiS6bZdK/a2CYzM1J4tEyMQPoNXzHMs0yFxK/x2kDDCAGZ2QHLy8fzwlMaD vAX//BdK1YzTJhAerKiGkPi2CiKUUt+c3QXciFNYrEP+ZQTu8Q5ZId1YpkHZVvdnSylS vbiYl09RBQPFVt9QAtiqVWY6sOWHMoYsTx7YOfBhRdvxIxTaEzRvV1i7T2VNiAUkwr+j 60QMa32W4wq4fful1BD+tgmNLfxuZy/2K3rJ6473Iv8lxCefyA2whXTae0+FdVS629aj IKUMUgAucsnAtB+84Toz1V9zUuatfx95zr6DBpS+edBVPq555Oqb5Walkekb8oBLPs0H 496w==
X-Gm-Message-State: AMke39nNplrKjbebEgk9wm6eQk2d7ewex0dkgmYJ1QF/lhfHeDYfPA3R9HCiGuXJa7wTnj8HA8W9uFpkWMLiLw==
X-Received: by 10.55.191.69 with SMTP id p66mr490251qkf.84.1488510944118; Thu, 02 Mar 2017 19:15:44 -0800 (PST)
MIME-Version: 1.0
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <B021DB9E-1ECF-4278-833F-5A13EA5F3A77@oracle.com> <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com>
In-Reply-To: <C08A4EBC-3935-4AF2-8C8C-926C57A2B02A@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 03 Mar 2017 03:15:33 +0000
Message-ID: <CABzCy2Dcq2ABY5YQepefychXBtJotKReauU2aB3XW3Zzr=W-ew@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="94eb2c043d421191500549caf649"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uIbNMEA-D-S2Q8ZNEAgHlIqgXNs>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 03:15:47 -0000
+1 Token binding is good, but there are infrastructures that cannot deploy it while they still need HoK in some manner. It could be a short term thing -- perhaps 3 years, but they have to do it now so... I have a question about the draft. In section 5.1, `key` is optional and when it is omitted, the server creates a ephemeral key pair for the client. My question is: how do you send the ephemeral private key securely to the client? I suppose it is returned in the similar fashion as in the case of the symmetric, but it is not clear from my read. Also, at that point, the authorization server has everything needed to impersonate the client, which may not be desirable. Is it not simpler and better to REQUIRE the `key` parameter? Nat On Sat, Feb 25, 2017 at 8:51 AM John Bradley <ve7jtb@ve7jtb.com> wrote: > The European banks are interested in mutual TLS for server to server > connections as part of PSD2/Open Banking. > > They have been thinking that they would have central CA and directly use > CA certificates for all the legs. > > I sent them this to get them thinking that they could perhaps secure the > token endpoint with cert based mutual TLS but allow clients to specify > there own keys for access tokens to make key rotation and deployment easier. > > I was also think ing that they could protect a jwks_uri with the CA > certificate using OCSP stapling and then use mutual TLS to the token > endpoint based on keyid and/or fingerprint. allowing for rotation of keys > to token endpoint and better support clusters with multiple keys. > > I don’t think this has much interest outside of some verticals like > financials. > > John B. > > On Feb 24, 2017, at 8:33 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > > I have been wondering about that myself. Interest seems to wained with the > TOKBIND work emerging. Maybe I am wrong about that? > > Phil > > Oracle Corporation, Identity Cloud Services & Identity Standards > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > > > On Feb 24, 2017, at 1:58 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > I updated the references but haven't made any other changes. > > I had some questions about it so though it was worth keeping alive > at-least for discussion. > > There have been some other questions and proposed changes. > > I will take a look through them and see if what may be worth updating. > > John B. > > Begin forwarded message: > > *From: *internet-drafts@ietf.org > *Subject: **[OAUTH-WG] I-D Action: > draft-ietf-oauth-pop-key-distribution-03.txt* > *Date: *February 24, 2017 at 6:55:25 PM GMT-3 > *To: *<i-d-announce@ietf.org> > *Cc: *oauth@ietf.org > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol of the IETF. > > Title : OAuth 2.0 Proof-of-Possession: Authorization > Server to Client Key Distribution > Authors : John Bradley > Phil Hunt > Michael B. Jones > Hannes Tschofenig > Filename : draft-ietf-oauth-pop-key-distribution-03.txt > Pages : 18 > Date : 2017-02-24 > > Abstract: > RFC 6750 specified the bearer token concept for securing access to > protected resources. Bearer tokens need to be protected in transit > as well as at rest. When a client requests access to a protected > resource it hands-over the bearer token to the resource server. > > The OAuth 2.0 Proof-of-Possession security concept extends bearer > token security and requires the client to demonstrate possession of a > key when accessing a protected resource. > > This document describes how the client obtains this keying material > from the authorization server. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-pop-key-distribution-03 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
- [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-d… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-pop-… John Bradley
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… Nat Sakimura
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Ludwig Seitz
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… Anthony Nadalin
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… John Bradley