[OAUTH-WG] Re: Call for adoption - PIKA
Watson Ladd <watsonbladd@gmail.com> Tue, 11 June 2024 05:01 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64CC9C1E8E1B for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2024 22:01:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3UXXf3S7epP for <oauth@ietfa.amsl.com>; Mon, 10 Jun 2024 22:01:24 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6A6CC1E8E11 for <oauth@ietf.org>; Mon, 10 Jun 2024 22:01:24 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-4217990f8baso26306075e9.2 for <oauth@ietf.org>; Mon, 10 Jun 2024 22:01:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718082082; x=1718686882; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DpWhGsq0e1BAEa6aspl+GTrgFHOHMpUiV9iMTwr4/HA=; b=na52GXjE4IxLNzs1CSZxJXK2wPm4isqhy0MXiUEcgslIcbJyYZPFmQZ2XBjokvzE6S OdVRsWzniDaQ/WMpdXLHouIhSkDFXwqWENcFIsvIzTOUncEVVkraK0yRy+peIX3Enr0y Wv3sm9jGHA3wmUcy31odpBAxdnmEyJGoqFL/3liL9Lx4jCEROb2pIY4qJUwvJR5BlGXt 3ZjlLHSRnoJHg8a0SdkFB2cWTWVnxAXAtPWdeez0BAKoG121UbeU0/Q/gDPCfykQ5Q+C 9RsFs0q/dRZoC0S4qu0BCHmH+32EzG+3cCY/Q/Cq+S/oIpMFLXvezbMh3ErP6LMMTUw5 opMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718082082; x=1718686882; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DpWhGsq0e1BAEa6aspl+GTrgFHOHMpUiV9iMTwr4/HA=; b=xRMO4gf4FOA5T5pG8ZozuvCqTvmtjkg0ivSrgEjMMtr8WodHwT4LnX5UalV4R9d7kQ BMixbCpt44srjbIx4EeOmPBKrIt3lXfHNlP+u7cuWlzNwF4ipJkhbf7nr/r+g4ncZV0i HhsNcvTBk+KjYCWluWcJ5AiuVj+YftMWp6HV1mLeCVVfnhFgv/XYqywxXxvlTsyq4hcS 56yo92Tm39h8znTDsg1D7DYjCjsWwo3qswaUXajsv2myDleIJLW10Lf9G0j8L8FQIBtj Z8rwHe8WnHt8R/gNw6DzJfEHjmcAYS0hXemydw/Z4fhMOYR9MILLmW25ryMdWd8crIS8 JgfA==
X-Forwarded-Encrypted: i=1; AJvYcCWYcBgJrHX9H2k5LB8MFVl9rYrPaHniaCXNR1xqE9UleSbQ8PYofpm29B1i5jbXlCowLRMfPZ7lkg9GaXVOvg==
X-Gm-Message-State: AOJu0Yy84t0bkHVa+NOZTmI2nVU3VZn0w7L60hDKA8QTxyuApAOdm/FV tAK2FvFgapZkgNB2NxAJ64fiVlQ9dAGEnBpsnEPuCg2gxSdJSzQyQtEwLQGZF+W5yKDcasZIGU6 IXKVKRSnaUh2beGHZcx/udi9Yonc=
X-Google-Smtp-Source: AGHT+IG5BYcwSVM/hqRLWhxvWrYnhqRCqp9gKlIEDGLVydPRL1SULJZ2Czjp/2urmFbnF/fdnGfrFMFwvGwCP27n4q4=
X-Received: by 2002:a05:600c:3ba7:b0:421:f4da:f4b with SMTP id 5b1f17b1804b1-421f4da14e7mr28649145e9.40.1718082081946; Mon, 10 Jun 2024 22:01:21 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9GmF4vp1uzLXK0YYZAHUDjK7RHbhEb4MCXkB7N3Oq4+w@mail.gmail.com> <CAL02cgSEt8z3zsLC6U5eqhMSHbn-+7uywZCQUrUpJ9zQwQeShQ@mail.gmail.com> <SJ0PR02MB74398B6C188C5D374B86F81BB7C72@SJ0PR02MB7439.namprd02.prod.outlook.com> <CAL02cgTMSgi-boxZAjkFc8_JrEJrGzk=LH5BnS2Earx-Ji2j9A@mail.gmail.com> <SJ0PR02MB74398BDC255CC7D533FC3149B7C72@SJ0PR02MB7439.namprd02.prod.outlook.com> <CACsn0c=TH=YyLRPaZXzd=oD1ZSm2-yvA1WxpxcMe6kLm=JwrNQ@mail.gmail.com> <SJ0PR02MB74394DD802EC1BC59B5E3257B7C72@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB74394DD802EC1BC59B5E3257B7C72@SJ0PR02MB7439.namprd02.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 10 Jun 2024 22:01:10 -0700
Message-ID: <CACsn0c=-BSrAcoFjeqjaVpgQtRj5NQtoaR8M09mwgSJe9LTN+Q@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: HQMUP2M4LTSHTC5ZOJKH4V64WP6ZCFLR
X-Message-ID-Hash: HQMUP2M4LTSHTC5ZOJKH4V64WP6ZCFLR
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/v9fPCzNCa99IpKQVDNcl3rgD4tQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
On Mon, Jun 10, 2024, 9:33 PM Michael Jones <michael_b_jones@hotmail.com> wrote: > > Watson, you wrote "An X509 certificate is the only way to link a DNS name to a key at a given point in time". However, that's not true. For over a dozen years, OpenID Connect has used a .well-known endpoint rooted at the issuer URL from which keys are retrieved (using the jwks_uri parameter) that are used to validate the signature by the issuer. No application-level X.509 required. The OAuth Authorization Server Metadata spec uses the same mechanism. > > And Watson, you wrote "I don't understand your proposal." I would propose to likewise define a .well-known endpoint for this specification used to retrieve keys used to validate the issuer signature. It's a well-established pattern that should be used here too. The third sentence in the abstract of the draft explains why this won't work for certain applications, namely that the server might not be available when the signature needs verification. Again, are there particular application platforms you are worried about not having X509 implementations? Sincerely, Watson Ladd
- [OAUTH-WG] Call for adoption - PIKA Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Kristina Yasuda
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Michael Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Rohan Mahy
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Watson Ladd
- [OAUTH-WG] Re: Call for adoption - PIKA Richard Barnes
- [OAUTH-WG] Re: Call for adoption - PIKA Joseph Salowey
- [OAUTH-WG] Re: Call for adoption - PIKA Ethan Heilman
- [OAUTH-WG] Re: Call for adoption - PIKA Giuseppe De Marco
- [OAUTH-WG] Re: Call for adoption - PIKA Pieter Kasselman
- [OAUTH-WG] Re: Call for adoption - PIKA James Carnegie
- [OAUTH-WG] Re: Call for adoption - PIKA Tom Jones
- [OAUTH-WG] Re: Call for adoption - PIKA John Bradley