Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-mtls-16: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Thu, 22 August 2019 22:49 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C568120099 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2019 15:49:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MY9UugJ2iX0K for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2019 15:49:20 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 068A0120091 for <oauth@ietf.org>; Thu, 22 Aug 2019 15:49:20 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id b10so6526069ioj.2 for <oauth@ietf.org>; Thu, 22 Aug 2019 15:49:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=j6VsLE+ywPRjE7dnZ16bKs84pNEmFFRvnAwuj9xJMZs=; b=mkuNoOFeV6ZTN/a9Tp0Q/9tYIGrcRKp0h61c22ba854SZigy1uZDCDA9mKnH5R/eH4 Ar0HRvGn1APPKv93Hu5kBeRRB65ezUrTOsj1fAApKZ5ZdvhzfIylHNFXHv81QITroFPP AbfVIhms/Z3xFtlR+4BrtmsqNyakY4XKerAZ0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=j6VsLE+ywPRjE7dnZ16bKs84pNEmFFRvnAwuj9xJMZs=; b=hwcg60F4C+cnlsjpXoBxDqOQdowoVQIunB/NlPE239elM7uEdGKFc7n0wdEDuE5PRV WL8L43zUWlGMemofmo4JIMDRBZ08EG5G+4d16WykLD21KufzYRVGSLEgUECR1ib1Cski 1AwyTCAc/Da+8YBwaqL4E+FhXtyJL7XRQQMJUlhBKJb0rpFJNXa2/qvooNUhDzJdlXpq R8aESanDw0BBulClmipWNqeQak+8eW630Blbi4dyRRu+1JpAaVofbqvv6fnWgQECGpKC 19fduRSC9PWUDK/mjzZooScdr+KE7ssUhubHAc0xAyLqTYS0tNr0Nn8BjhAei6qPfboT sn0w==
X-Gm-Message-State: APjAAAVulTdydWSPBKuGuYiK8tF34SVB9VxXvYl9LH4qh9kcAU2X95qY tv1GGSSpNbdPpv0kwenWLsbj4ltGUcGrhu7xkj5z38r/+TjkC/WyU4e67b6D447zZVrsTgP3Zqd W7EXir5bTBPiWGjuUZJk=
X-Google-Smtp-Source: APXvYqxs/seAM/XBOIUHVOyJzj8Q51Y3Gd2zKCExChXbWSzoLpbeL/EgKp7eX22mBoU4bEbt6c/Ji0RP0/M5qKH7aRw=
X-Received: by 2002:a6b:ea16:: with SMTP id m22mr1535051ioc.115.1566514159226; Thu, 22 Aug 2019 15:49:19 -0700 (PDT)
MIME-Version: 1.0
References: <156626655953.5157.11629807813580977810.idtracker@ietfa.amsl.com> <CA+k3eCQ5yOpqnbB+5eNmkOuLc+X=7MQvhx0VvXLAnXRE-k=sMg@mail.gmail.com>
In-Reply-To: <CA+k3eCQ5yOpqnbB+5eNmkOuLc+X=7MQvhx0VvXLAnXRE-k=sMg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 22 Aug 2019 16:48:53 -0600
Message-ID: <CA+k3eCRz5J2dRbDipGeYaWnbqksVbP0CygugKn75+sRMWAg8AQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-mtls@ietf.org, oauth <oauth@ietf.org>, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ff2c360590bc7f40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wvkybZ0MshCKS2ZbDTPdBGBp0nE>
Subject: Re: [OAUTH-WG] Adam Roach's No Objection on draft-ietf-oauth-mtls-16: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2019 22:49:23 -0000
Regarding the comment on tls_client_auth_san_ip, some other reviewers have suggested using the using the IPv6 Address Text Representation described in RFC 5952 rather than the one from in RFC 4291. Which I think makes sense to do. Maybe also with a note that the comparison of the addresses should done using binary as suggested in https://tools.ietf.org/html/rfc5952#section-8 What do you think? On Wed, Aug 21, 2019 at 4:07 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks Adam, I attempt to provide not-too-terrible replies to your > comments inline below. > > On Mon, Aug 19, 2019 at 8:02 PM Adam Roach via Datatracker < > noreply@ietf.org> wrote: > >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> >> Thanks for the work that everyone did on this document. I have one >> suggestion >> for clarification, followed by a handful of editorial nits. >> >> >> --------------------------------------------------------------------------- >> >> §2.1.2: >> >> > tls_client_auth_san_ip >> > A string representation of an IP address in either dotted decimal >> > notation (for IPv4) or colon-delimited hexadecimal (for IPv6, as >> > defined in [RFC4291] section 2.2) that is expected to be present >> > as an iPAddress SAN entry in the certificate, which the OAuth >> > client will use in mutual TLS authentication. >> >> This probably needs some text that clarifies expectations around >> comparison >> and/or normalization. For example, if the iPAddress value in the cert is >> "20 01 0d b8 00 00 00 00 00 00 00 00 c0 00 02 ca" (and a mask of all >> F's), one >> should presume that this would match both tls_client_auth_san_ip values >> "2001:db8:0:0:0:0:c000:2ca" and "2001:DB8::192.0.2.202", right? If no, >> then >> this document needs to talk about normalization of address representation. >> > > Can you help me with some text here? I'm a bit out of my realm, to be > honest. I naively just want it to say that the tls_client_auth_san_ip value > and iPAddress value in the cert need to be the same IP address. But I do > realize "same" isn't totally clear as your comment and others have pointed > out. But I don't know enough to know how to write it in a way that's > suitable for this kind of thing. > > Alternatively, as I mentioned in my response to Ben (down a ways in > https://mailarchive.ietf.org/arch/msg/oauth/TMaNYXJgZ3-kz4GNsIL4O-9ncgQ), > I've never personally been able to think of a situation where > tls_client_auth_san_ip is actually needed. So maybe removing it all > together is an option as well? > > > >> >> --------------------------------------------------------------------------- >> >> §1: >> >> > Layering on the abstract flow above, this document standardizes >> > enhanced security options for OAuth 2.0 utilizing client certificate >> > based mutual TLS. >> >> Nit: "client-certificate-based" >> > > Mr. Kaduk beat you to this one. Will fix. > > > > OAuth 2.0 defines a shared secret method of client authentication but >> >> Nit: "shared-secret" >> > > Will fix. > > >> >> >> --------------------------------------------------------------------------- >> §1: >> >> > This document describes an additional >> > mechanism of client authentication utilizing mutual TLS certificate- >> > based authentication >> >> Nit: "mutual-TLS" >> >> > Mutual TLS certificate-bound access tokens ensure that only the party >> >> Nit: "Mutual-TLS" >> >> > Mutual TLS certificate-bound access tokens and mutual TLS client >> >> Nit: "Mutual-TLS... mutual-TLS" >> >> > Additional client metadata parameters are introduced by this document >> > in support of certificate-bound access tokens and mutual TLS client >> > authentication. >> >> Nit: "mutual-TLS" >> >> The remainder of the document has several other uses of the phrase "mutual >> TLS" as an adjective; they should be similarly hyphenated. I will not call >> them out individually. (Non-adjectival uses should not contain hyphens, so >> this isn't a simple find-and-replace operation.) >> > > Understood. In theory anyway. I'll take a pass thought the whole document > and endeavor to find and hyphenate all the places that "mutual TLS" is used > as an adjective. > > > >> >> >> --------------------------------------------------------------------------- >> >> §5: >> >> > Authorization servers supporting both clients using mutual TLS and >> > conventional clients MAY chose to isolate the server side mutual TLS >> > behaviour to only clients intending to do mutual TLS, thus avoiding >> >> Nit: "behavior" (or adjust other spellings in the document to be >> consistently >> British). >> > > Ugh. I'm surprised my jingoistic spellcheck didn't flag that one. Will > fix. > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Adam Roach's No Objection on draft-iet… Adam Roach via Datatracker
- Re: [OAUTH-WG] Adam Roach's No Objection on draft… Brian Campbell
- Re: [OAUTH-WG] Adam Roach's No Objection on draft… Brian Campbell
- Re: [OAUTH-WG] Adam Roach's No Objection on draft… Adam Roach
- Re: [OAUTH-WG] Adam Roach's No Objection on draft… Brian Campbell