IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

Dick Hardt <dick.hardt@gmail.com> Fri, 10 January 2020 18:09 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A84120AA4 for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 10:09:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nu7hQaBx5dib for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 10:09:17 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 964C3120A40 for <oauth@ietf.org>; Fri, 10 Jan 2020 10:09:16 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id v201so2136839lfa.11 for <oauth@ietf.org>; Fri, 10 Jan 2020 10:09:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ADv2eLsUofIvRp3QzLJCQzVXkROoXfK4e1Y+4mELgKs=; b=Fuo3Y0C/IpTRzKDSUx62LEHgvjWb94ZXGiuacvTg+NAMXPf9mhcMfE1/yFHbK99vXC 2wRwdgBBdfj6fA3bhNhYWzE1xjOUSQfPLyjjdXY1rVewTYwnL3WySOwLbXrJfDQv7n96 rgvMTeOFitjpHtk3DgZf+szl/TVyBPyVZWykkKAdh8mTJbOsXNaSypH2+8NBcfUzISy8 K0UEYShDIA0+6YMk87vb9ghp63YIEGYNi2Tu00jZTmYhYa0BeUS9ZevMWfi6e2gk60UW MdiWYhXQNvSVTnVM3/hql/U7BMe5TKwUW9p61Cw7vXc57fRG2et9JbF5Mbz+AemqKIGa tlMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ADv2eLsUofIvRp3QzLJCQzVXkROoXfK4e1Y+4mELgKs=; b=JtF03S9MeOqdbGGzVU+KnxzPMeyFtTXIv8AoDEfnd6zgA7rewRaNfO44H4LvBwLvZZ h3AS4jgooHQ6SpgEyciYI2IAxdITUrI/pEopPLJI38PWK9hZZJx5CKPyRA4n/RVyIKBb sIYxK2dQk8VlfgzpNEK/wgIIXACfUaxaEzmXU8lupt2giESvYEEKX8hM46oQDUBIJCUF hfneGWaclj/BukoIZEVjSfcI0v4zmDsvjZp1HCZ5820W/wXQsjp+JvXIVsyLQhEsMAgQ RLL/jiToHXdhb0vkguKNbU1EP7g1KtP8EPK/+qT1MdlOf6UJ5x7beqRKD6ozjEO0Afn9 lAUA==
X-Gm-Message-State: APjAAAUE5vcUamqokWKiA3T/95MnyvDPIa89nnmDBR3Jxp3hrBZ0rg0E LK5v4RHHvRMc3lHgLxDlm24Ddt0yDKhR9O8r1HQ=
X-Google-Smtp-Source: APXvYqwcY9g/ah2KeSh61Vd0pFmYl/RhXJYHclje8AHMxsisyEGa9mpQOUC68b0K1t4slrD53KcxDQHa5ihUA7lUHVo=
X-Received: by 2002:ac2:50cc:: with SMTP id h12mr3101741lfm.29.1578679754802; Fri, 10 Jan 2020 10:09:14 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-tNugk-Whm4JrYD2vbZBGmrtUVNrqTeag_JsAm36qr1sw@mail.gmail.com> <5747AA1C-0732-49F3-B18F-EF6395C405C9@lodderstedt.net>
In-Reply-To: <5747AA1C-0732-49F3-B18F-EF6395C405C9@lodderstedt.net>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 10 Jan 2020 10:09:03 -0800
Message-ID: <CAD9ie-sHSNn34S-hyQHa-uxMKNhH22i-9ajdyTEyPh8w61yHsA@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffce97059bcd0519"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wqzDJRZwb6kw6k7ge81OtLlwuuE>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 18:09:19 -0000

Perhaps I am misunderstanding what Annabelle was getting at, but having
more than one key in the metadata document would solve the the issue. IE,
extensions would define their own key instead of using the same one.

The metadata document itself was an extension.


On Fri, Jan 10, 2020 at 9:58 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

>
>
> > Am 10.01.2020 um 18:23 schrieb Dick Hardt <dick.hardt@gmail.com>:
> >
> > As OAuth 2.0 has been extended, the AS is now also an OpenID Connect
> Provider, and the access token is being defined. These extensions have
> assumed all of this functionality is a monolith.
> >
> > I'm not suggesting that we MUST make changes to existing extensions, but
> design future extensions so that an implementation can separate duties if
> desired.
>
> How do you envision this to work? As you said, OAuth 2.0 is built on the
> assumption the AS is (at least logically) a monolith. All extension were
> built on that underlying assumption. I don’t see how an arbitrary extension
> can relax that assumption and still be compatible with the rest (just
> revisit the discussion re PAR and keys).
>
> I think we should accept this design assumption, in the same way we should
> accept form encoding as request format instead of JSON, for OAuth 2.0
> extensions.
>
> OAuth 3.0 could explicitely be developed with different architectures in
> mind.

v2.23.0 | Report a Bug | By Email