Re: [OAUTH-WG] MTLS vs. DPOP
Karl McGuinness <kmcguinness@okta.com> Tue, 07 May 2019 18:10 UTC
Return-Path: <kmcguinness@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E1E1201C9 for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 11:10:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=okta.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QyeFJlw-VLZl for <oauth@ietfa.amsl.com>; Tue, 7 May 2019 11:10:03 -0700 (PDT)
Received: from us-smtp-delivery-163.mimecast.com (us-smtp-delivery-163.mimecast.com [63.128.21.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A9E31201B0 for <oauth@ietf.org>; Tue, 7 May 2019 11:10:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=mimecast20140813; t=1557252601; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JpKo4RmAx6/jQKoRpD/UAJtuiJQCMYbpaF3AzC3MZ5s=; b=Fs/Qef748Z1jj6ejPP5Zd3plMjYTI3RZy4pCFslCswOYvAtKDZ86Mem+r77cs5ZL9TKSME 8ISDr0y0TDzKQhsQupW9Yl9AcLXZFNxG6gCl93+Zss+smQDiMkGD8mn6kdy9fCOanjruIo ci51JXrfC9K7JqMnSOntuOgjwbdSQ2g=
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-co1nam05lp2055.outbound.protection.outlook.com [104.47.48.55]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-214-lu1f6HBnOGysVoFBfnd36w-1; Tue, 07 May 2019 14:10:00 -0400
Received: from BYAPR05MB4133.namprd05.prod.outlook.com (52.135.199.154) by BYAPR05MB5493.namprd05.prod.outlook.com (20.177.186.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1878.19; Tue, 7 May 2019 18:09:57 +0000
Received: from BYAPR05MB4133.namprd05.prod.outlook.com ([fe80::1fa:75b8:92d7:93b4]) by BYAPR05MB4133.namprd05.prod.outlook.com ([fe80::1fa:75b8:92d7:93b4%4]) with mapi id 15.20.1878.019; Tue, 7 May 2019 18:09:57 +0000
From: Karl McGuinness <kmcguinness@okta.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] MTLS vs. DPOP
Thread-Index: AdUErRQrEyJTkDUdQjmHcwr6XcEhZQAT1IGAAADrJIA=
Date: Tue, 07 May 2019 18:09:57 +0000
Message-ID: <CA58E903-D591-443A-87AF-B7F5287216D7@okta.com>
References: <DBBPR08MB4539BA4621AC8029AEF4F8C8FA310@DBBPR08MB4539.eurprd08.prod.outlook.com> <6A97A589-FB03-4EE3-8403-43D12E82071C@lodderstedt.net>
In-Reply-To: <6A97A589-FB03-4EE3-8403-43D12E82071C@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [136.24.59.187]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ba55f133-7515-45ec-6907-08d6d31736a8
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR05MB5493;
x-ms-traffictypediagnostic: BYAPR05MB5493:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR05MB54931388380AAB17BC7EDF0DDF310@BYAPR05MB5493.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0030839EEE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39860400002)(136003)(346002)(396003)(40434004)(53754006)(189003)(199004)(3846002)(6486002)(71190400001)(6116002)(33656002)(71200400001)(6306002)(25786009)(68736007)(6436002)(5660300002)(6512007)(305945005)(8936002)(82746002)(54906003)(99286004)(2906002)(83716004)(53546011)(6506007)(36756003)(229853002)(7736002)(8676002)(2616005)(81156014)(81166006)(76176011)(316002)(6916009)(5024004)(14444005)(966005)(476003)(256004)(86362001)(102836004)(478600001)(14454004)(486006)(186003)(4326008)(66066001)(53936002)(26005)(66556008)(64756008)(66476007)(66446008)(11346002)(66946007)(76116006)(6246003)(446003)(73956011); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB5493; H:BYAPR05MB4133.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: j1Nc3UfG0Up2fGnCgP64QSZiAZTtFW/Ubp7O2ZuXLGjpm00SETWJAfZt2UhqMIUnZkkBXG8VqnYPrKUr4UtV3RdeVdEhE10AWg2CMikHeGd/IujDMO9gGVkM+4radQllR2VhH+m9gdQPIS+ZQZxj2qzucZAhykRE6MJZmk57kR6ixs0G25fSrJ0gqL/5JhxuAnQFLpAdhoQJGaBGVhGb+LMN9RR/nkiW0+nTeV2aQYOaatunFWaNqQ4MzUi3ZEq2tEX/F3mK8SMkwmXCbiE/T2DHXvmjhVQdrYBPn07SK5TdjNzXe2hSEjSHDvTuEsSjjhP3MULWvvcpnZ5st7fQFtnL3WA75smqBWc5qFXwmL8B2dJYS18EnQZ72xhHHqbh/pmyLG7zIPHZkZLZB+GzQyNC/vyPedscdh70wRBM3Ts=
Content-ID: <1C56112CD45D5244A32A728828CB4298@namprd05.prod.outlook.com>
MIME-Version: 1.0
X-OriginatorOrg: okta.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ba55f133-7515-45ec-6907-08d6d31736a8
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 May 2019 18:09:57.3129 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f1f9fcc4-c616-4261-8a82-855dc9cb8486
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5493
X-MC-Unique: lu1f6HBnOGysVoFBfnd36w-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wVMolRnTLLKCQCT219gKGeVM8BI>
Subject: Re: [OAUTH-WG] MTLS vs. DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 18:10:07 -0000
mTLS has significant challenges at scale in a multi-tenant SaaS deployment on public clouds using modern edge technologies/services. Applications are increasingly being built using Function-as-a-Service/ephemeral workloads as well. Additional complexity increases if you also want to support "bring your own CA”. DPoP enables application level deployment model independent of how one’s edge or runtime is deployed/managed. This is very valuable for SaaS providers. We expect to eventually deploy a DPoP like solution for all client models and not just SPA. -Karl > On May 7, 2019, at 10:43 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > > Hi, > > mTLS is dead simple to use, secure, is used and can be used on a broad basis (in contrast to the token binding stuff). I also like the fact it provides both client authentication and sender-constraining. > > We started the work on DPoP for the simple reason that SPAs don’t work well with mTLS and we want to provide a solution with somehow limited capabilities, e.g. regarding replay protection (see DPoP introduction). > > If someone asks me for the default solution, it’s simple: use mTLS. And if you build a SPA and want to do really security sensitive things, implement your OAuth stuff and the RS interactions in the backend of your application. > > DPoP is in a really early stage, let’s see where it will go. > > best regards, > Torsten. > >> On 7. May 2019, at 10:25, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: >> >> Hi all, >> >> In the OAuth conference call today Vittorio mentioned that some folks are wondering whether DPOP is essentially a superset of MTLS and whether it makes sense to only proceed with one solution rather potentially two. >> >> I was wondering whether others in the group have a few about this aspect? >> >> Ciao >> Hannes >> >> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP George Fletcher
- Re: [OAUTH-WG] MTLS vs. DPOP Daniel Fett
- Re: [OAUTH-WG] MTLS vs. DPOP Vittorio Bertocci
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Brian Campbell
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Benjamin Kaduk
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Karl McGuinness
- Re: [OAUTH-WG] MTLS vs. DPOP David Waite
- Re: [OAUTH-WG] MTLS vs. DPOP Torsten Lodderstedt
- Re: [OAUTH-WG] MTLS vs. DPOP Hannes Tschofenig
- Re: [OAUTH-WG] MTLS vs. DPOP Justin Richer