IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

Samuel Erdtman <samuel@erdtman.se> Thu, 24 November 2016 06:48 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFD81294B4 for <oauth@ietfa.amsl.com>; Wed, 23 Nov 2016 22:48:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GFidmPyE7FsF for <oauth@ietfa.amsl.com>; Wed, 23 Nov 2016 22:48:55 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32101294AE for <oauth@ietf.org>; Wed, 23 Nov 2016 22:48:54 -0800 (PST)
Received: by mail-wm0-x230.google.com with SMTP id g23so102759723wme.1 for <oauth@ietf.org>; Wed, 23 Nov 2016 22:48:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pkDaGs/24ux8xBcWrO31+gCiQqgHhC8c5jn4uzM85tQ=; b=ckOTyW/xWgS+uSlmdfsyP5PHfo7/8ox1/DDRXzFDE86V8DexKKMarhBvo/qsPHEjJD sM6qfX12PelA1MXraPixKR9tzmKjP0tp9YJsHfeS9LPe3CIkwNEtbK63jq04vUXJbZUP GpsbvIt1RqHvy/uxhgTy+YlAbKZXy6LEGr2CXGAERNCMmCsQFgNIjBBr3VsUHQjZfPIo 9KR/IphvmteN43BI5eJpop5TeUdxDYqmdTSeqdF1v+7R8ChB/5Jwn9LFB2ZwujwRYdNQ A2t0+fEapkIYXk9+WAB1t8Wt4DIzimY6N+jzKDD2WiXmj3zBAAUBksX2hi3KXR4mhzKc XOHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pkDaGs/24ux8xBcWrO31+gCiQqgHhC8c5jn4uzM85tQ=; b=LFXQh7lmY4AIBxP9NrWl56ibIsoQyYYY9qlUPyCW55YCuY9XnUzd9FbWWOnziCXxn+ vwtupIZErXI/E5wXDwrtEddgtjYu8wUK1bwqUxOI0d26VrEGHP7BwSHCjuLo9gXXW3r/ i/Y8jcSu8lyLAeCjnlSfXu7zKucyNQDdU8eWGcwKFdzvdqjJGL0OFXeU0iFsaG2ZGVHs fkKBjqRDXqaElLRSKADbcYC7JKbPbq6AaU++I64SCWOwCdmcEWMGk6dr9rDHPn96QuVh 81yeDRb6cIU/iK8ZWjpcWGIOBUQe0HMEMV0RuLkg3cfX9tX+tegk4i4wSwg8EltOLV5t vOzA==
X-Gm-Message-State: AKaTC01k2ckFQ5VryZk+d7KHwKSO9WpHOZdi8OWubpniMm52p9FuvhASa+f//JCjuZeSQrqKh4idW4DhHBrHHw==
X-Received: by 10.28.139.12 with SMTP id n12mr687658wmd.79.1479970133462; Wed, 23 Nov 2016 22:48:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.117.103 with HTTP; Wed, 23 Nov 2016 22:48:52 -0800 (PST)
In-Reply-To: <CA+k3eCTuC7EfXm-aGKDEPFUDjAjB4nZyy9wHCBwYVfRX6-zdzw@mail.gmail.com>
References: <147613227959.31428.2920748721017165266.idtracker@ietfa.amsl.com> <9CDE07EB-E5B4-43B2-B3C1-F12569CAB458@ve7jtb.com> <5827DE8A.4010807@lodderstedt.net> <4372F560-F98E-491B-BEDD-B02A2671D96C@mit.edu> <5827F848.3060803@lodderstedt.net> <2164E521-236F-46FC-AAF1-D2EE80F29BA9@mit.edu> <58280139.2040505@lodderstedt.net> <CA+k3eCS-S8G-jxRMnvczaysdNZSRWwiPnGTMnGVnh8dWgh0k-A@mail.gmail.com> <F31A1C87-C18F-4203-A1AE-DF32BCB005B4@mit.edu> <CAF2hCbYxcVzfPCQ5vLm9-Xnz3y_tMOepx1Gkwx9-2txKJo1zKg@mail.gmail.com> <CA+k3eCTuC7EfXm-aGKDEPFUDjAjB4nZyy9wHCBwYVfRX6-zdzw@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Thu, 24 Nov 2016 07:48:52 +0100
Message-ID: <CAF2hCbbQkwObfhXkTpUjXdwA+OBOeHUDf81MHDJ6Ovh9NPYf6Q@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a11444d941567e30542066677"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uvcd5mJB72dwRnAkiYpIvjxDLKw>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 06:48:58 -0000

+1 on providing guidance.


On Wed, Nov 16, 2016 at 12:08 AM, Brian Campbell <bcampbell@pingidentity.com
> wrote:

> Yes, I believe you are correct. Client certificates are provided in the
> handshake (initial or renegotiated) at the request of the server. If the
> server asks and the client doesn't provide a cert, it's up to the server
> whether to continue or about the handshake.
>
> There seem to be a number of different ways of trying to deal with this
> (not strictly for this OAuth case but similar situations).
>
> The AS could always request client certs but allow connections to proceed
> regardless. Then check for certs for appropriate clients while processing
> token requests.  I guess there's a little overhead in the handshake with
> this for all the connections that won't present a cert. But not a ton. The
> main drawback is that some/many browsers have UI that will prompt users to
> choose a cert even when they don't have any. And the user experience can be
> very bad or confusing as a result.
>
> The token endpoint could be on a different host or port which always
> requests client certs. Still allow connections to proceed regardless and
> check the client credentials at the OAuth layer. Pretty similar to the
> above but avoids the usability issues with end users because it's only at
> the token endpoint.
>
> Trying renegotiation after the application sees that it's a token request
> or that it's a token request from a client id that's configured for mutual
> TLS is another approach. In my own limited experience with this kind of
> thing, however, this approach can be kind of flaky. And your point about
> the initial data not being trustworthy is legitimate. I'm not sure if it
> really matters in this case. I don't know. And signaling to resubmit is
> another issue all together.
>
> There are probably other approaches too but those are the things I've seen
> or can imagine. In all (or nearly all) the deployments of our stuff that I
> know about that deal with mutual TLS, some variation of the second option
> is used.
>
> All this seem like implementation/deployment details though and I'm
> hesitant to try and define how to do it in this doc. Maybe providing some
> guidance. I'm not exactly sure how to do that though.
>
>
>
> On Tue, Nov 15, 2016 at 10:14 AM, Samuel Erdtman <samuel@erdtman.se>
> wrote:
>
>> Torstens questions triggers another question from me.
>>
>> If we have an AS that can handle both certificate client auth and client
>> secret, how does the AS know that it should ask for client certificate on
>> the TLS layer.
>>
>> It was a while since I last read the TLS specification and it might have
>> changed but if i remember correctly client certificates are provided in
>> initial handshake or in re-negotiate and it is only provided on request by
>> the server.
>>
>> If this is still true the AS would need to first get the token request,
>> see that this is a client that authenticates with certificate and request a
>> TLS re-negotiate to get the certificate authentication and a re-submission
>> of the token request since we cannot trust the data first submitted.
>>
>> Are I missing something obvious, or is this something that needs to be
>> defined?
>>
>> //Samuel
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Nov 14, 2016 at 1:26 AM, Justin Richer <jricher@mit.edu> wrote:
>>
>>> Right — this is a fine way to put it. RFC7591 defines a client model
>>> where RFC6749 didn’t. Ideally all that metadata would’ve been in the
>>> original spec, but it’s not. It doesn’t matter whether the client was
>>> registered dynamically or statically, it just matters that the AS knows
>>> what to expect from a given client.
>>>
>>>  — Justin
>>>
>>> On Nov 14, 2016, at 6:21 AM, Brian Campbell <bcampbell@pingidentity.com>
>>> wrote:
>>>
>>> Yes, the intend is that the authentication method is determined by
>>> client policy regardless of whether the client was dynamically registered
>>> or statically configured or whatever. I can make that point more explicit
>>> in future revisions of the draft.
>>>
>>> On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
>>> torsten@lodderstedt.net> wrote:
>>>
>>>> I understand. My point is different: the text seems to assume everybody
>>>> is using client registration, but that's not the case. I would like to
>>>> point out it makes sense to explicitely state the assumption that it is
>>>> determined by client policy (indepedent of the way this policy is
>>>> established).
>>>>
>>>>
>>>> Am 13.11.2016 um 14:24 schrieb Justin Richer:
>>>>
>>>> As part of the client’s registered data model. At least, based on how
>>>> our own implementation works (where we support client_secret_basic,
>>>> private_key_jwt, etc), that’s where we’d check to see if the client was
>>>> supposed to be using TLS auth or not.
>>>>
>>>> We don’t let clients switch away from their registered auth mechanism.
>>>>
>>>>  — Justin
>>>>
>>>> On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <
>>>> torsten@lodderstedt.net> wrote:
>>>>
>>>> Justin,
>>>>
>>>> Am 13.11.2016 um 13:39 schrieb Justin Richer:
>>>>
>>>> Torsten, I believe this is intended to be triggered by the
>>>> tls_client_auth value specified in §3.
>>>>
>>>>
>>>> in the token request?
>>>>
>>>>
>>>> Nit on that section, the field name for the client metadata in RFC7591
>>>> is token_endpoint_auth_method, the _supported version is from the
>>>> corresponding discovery document.
>>>>
>>>>  — Justin
>>>>
>>>> Torsten.
>>>>
>>>> On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
>>>> <torsten@lodderstedt.net>torsten@lodderstedt.net> wrote:
>>>>
>>>> Hi John and Brian,
>>>>
>>>> thanks for writting this draft.
>>>>
>>>> One question: how does the AS determine the authentication method is
>>>> TLS authentication? I think you assume this is defined by the
>>>> client-specific policy, independent of whether the client is registered
>>>> automatically or manually. Would you mind to explicitely state this in the
>>>> draft?
>>>>
>>>> best regards,
>>>> Torsten.
>>>>
>>>> Am 11.10.2016 um 05:59 schrieb John Bradley:
>>>>
>>>> At the request of the OpenID Foundation Financial Services API Working
>>>> group, Brian Campbell and I have documented
>>>> mutual TLS client authentication.   This is something that lots of
>>>> people do in practice though we have never had a spec for it.
>>>>
>>>> The Banks want to use it for some server to server API use cases being
>>>> driven by new open banking regulation.
>>>>
>>>> The largest thing in the draft is the IANA registration of
>>>> “tls_client_auth” Token Endpoint authentication method for use in
>>>> Registration and discovery.
>>>>
>>>> The trust model is intentionally left open so that you could use a
>>>> “common name” and a restricted list of CA or a direct lookup of the subject
>>>> public key against a reregistered value,  or something in between.
>>>>
>>>> I hope that this is non controversial and the WG can adopt it quickly.
>>>>
>>>> Regards
>>>> John B.
>>>>
>>>>
>>>>
>>>>
>>>> Begin forwarded message:
>>>>
>>>> *From: * <internet-drafts@ietf.org>internet-drafts@ietf.org
>>>> *Subject: **New Version Notification for
>>>> draft-campbell-oauth-tls-client-auth-00.txt*
>>>> *Date: *October 10, 2016 at 5:44:39 PM GMT-3
>>>> *To: *"Brian Campbell" < <brian.d.campbell@gmail.com>
>>>> brian.d.campbell@gmail.com>, "John Bradley" < <ve7jtb@ve7jtb.com>
>>>> ve7jtb@ve7jtb.com>
>>>>
>>>>
>>>> A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
>>>> has been successfully submitted by John Bradley and posted to the
>>>> IETF repository.
>>>>
>>>> Name: draft-campbell-oauth-tls-client-auth
>>>> Revision: 00
>>>> Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
>>>> OAuth Clients
>>>> Document date: 2016-10-10
>>>> Group: Individual Submission
>>>> Pages: 5
>>>> URL:
>>>> <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
>>>> https://www.ietf.org/internet-drafts/draft-campbe
>>>> ll-oauth-tls-client-auth-00.txt
>>>> Status:
>>>> <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
>>>> https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
>>>> Htmlized:
>>>> <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
>>>> https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
>>>>
>>>>
>>>> Abstract:
>>>>   This document describes X.509 certificates as OAuth client
>>>>   credentials using Transport Layer Security (TLS) mutual
>>>>   authentication as a mechanism for client authentication to the
>>>>   authorization server's token endpoint.
>>>>
>>>>
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>
>>>> The IETF Secretariat
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email