Re: [OAUTH-WG] DPoP followup III: client auth

Brian Campbell <bcampbell@pingidentity.com> Fri, 04 December 2020 19:02 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 525763A0EBC for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 11:02:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-w2faIj7H_q for <oauth@ietfa.amsl.com>; Fri, 4 Dec 2020 11:02:29 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72FF53A0C1E for <oauth@ietf.org>; Fri, 4 Dec 2020 11:02:28 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id z1so7780359ljn.4 for <oauth@ietf.org>; Fri, 04 Dec 2020 11:02:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=q+PiUBxYYk9Bvk0j1oqMXYlrQ039fLqFX6kwENcGvgQ=; b=XzhqZ4I/AGOmw7YBYzyLN5Nxm737vtujnW1QRvvWXzbCO9uoU+ff9o7PXE20yb5ovP QOBQNrwIN2HMC5rpd6GT6Cp3YfCAU+c+n2IuIwgxDg+w3xutj0UcycNbUVqZUaOKfcGR MbsOrJEBQefs5qWVyeQwLdHvEeW+FHzwlNeDoEZ7/C3AHeHcfLcXOvQKjbSC3SVxqorW VydOebO9BMbJCyrTyWol2h0XSW7UhnDott3HjqGJoCIFvbPQoUaz7S35x8WwWAZaV+Qg kIWvjnoVQg+AOWSiKSQqc8DPdmmDSDFZHUV0up0aI93YWALl1DUr0AeBp87HA+bHykBE z/sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=q+PiUBxYYk9Bvk0j1oqMXYlrQ039fLqFX6kwENcGvgQ=; b=d0eKE2saNi+2/cM3DtnTQ9crYcDOznI3C7htvkSgmIh33i8T07FujYdAfM6iL7Nwsz 3i5sJSPnzI7mGnxzOGNHU8+932sGROIZCKvQ1+54eGnfsiG/GNThV8+Qs+nYn2+QIe0Q 4TxBVByWEQMnJZ1xOU9gJ1fC05x9AT1JCx2GfO1CqCljadT6LI+H0fextjle9nVChOvV 18kcEo73V7wdtzvspBJ5UGHM2kP0/8mKdeorvRCaXdwQdoTCEzsiXW449VecwWThiUFq 4LhvsDizjE5LlrbPMPy3VsPN4p2jAP/vAsHwnIqOEHMxHplgghUKWJ0jzrd6NuJQph2a B2cQ==
X-Gm-Message-State: AOAM533joCwzxoNKE/VWeJUbiGWnHpwmlsGyhfTITj4blMaEj+E9oXVN AsND6JcL8Hm9iir7wfGXsAADLvfanks0WGrKOSCz1TzYPEhTWIJGDOl409vUmgBXQmUGe5twPEs FQkuLZQwna1OYlJd6oRnLfA==
X-Google-Smtp-Source: ABdhPJyyW6ieUX1Ah+nBWjFruLtSmLxkzuqAr8cTptkCjmpejuEbj0mpKSAgzoNVWvdy/sKzTzAvPi8c5MmYN2Q4qQM=
X-Received: by 2002:a2e:2419:: with SMTP id k25mr3976108ljk.422.1607108545702; Fri, 04 Dec 2020 11:02:25 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCQjCjbcHxmTFn_Ce1aQ-gn31mAXNp9PGp7d6mXkfyDWPA@mail.gmail.com> <TY1PR01MB1466B7B9186A75EFA9315FFCE5F10@TY1PR01MB1466.jpnprd01.prod.outlook.com>
In-Reply-To: <TY1PR01MB1466B7B9186A75EFA9315FFCE5F10@TY1PR01MB1466.jpnprd01.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 04 Dec 2020 12:01:59 -0700
Message-ID: <CA+k3eCT4W0J-1jdaOZPc+BQgOP-QiukyAPokUbaNAx5VWKCfZA@mail.gmail.com>
To: toshio9.ito@toshiba.co.jp
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="000000000000fe341805b5a81d18"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ulc4UYtBy662H8H6I_VFsZBMu-c>
Subject: Re: [OAUTH-WG] DPoP followup III: client auth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 19:02:31 -0000

On Thu, Dec 3, 2020 at 6:26 PM <toshio9.ito@toshiba.co.jp> wrote:

> Hi Brian, everyone
>
>
>
> I'm interested in a client authentication method based on DPoP. It'd be a
> good
>
> option for application-layer client authentication with asymmetric keys.
>
>
>
> However, I don't think the DPoP draft should include DPoP as a client
>
> authentication method. It should be a different document.
>

Aggee. It'll go in a different document, if it happens at all.


> In addition, I'm not
>
> sure we can (or should) use exactly the same DPoP Proof JWT structure for
> client
>
> authentication.
>

If not, then RFC7523 private_key_jwt client auth is already defined and
available for application-layer client authentication with asymmetric keys.


>
>
>
>
> Toshio Ito
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Brian Campbell
> *Sent:* Thursday, December 3, 2020 7:29 AM
> *To:* oauth <oauth@ietf.org>
> *Subject:* [OAUTH-WG] DPoP followup III: client auth
>
>
>
> There were a few items discussed somewhat during the recent interim
> <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth>
> that I committed to bringing back to the list. The slide below (also
> available with a few extra spelling errors as slide #19 from the interim
> presentation
> <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>)
> is the last of them.
>
>
>
> To summarize, I'm wondering if there's WG interest in working to formalize
> a client-to-AS authentication mechanism based on DPoP. I think it
> potentially would be problematic to put into the current document (for a
> number of reasons) so am preemptively ruling out that option. Thus,
> basically, I'm asking the WG if there is some/much interest in the idea? In
> which case I'll find some time (at some point) to write up an I-D for it
> and bring that back to the group for consideration. Or if I should, as the
> slide says, "shut up and never speak of this again"?
>
>
>
> [image: Slide19.jpeg]
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._