Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
Brian Campbell <bcampbell@pingidentity.com> Tue, 06 November 2018 01:56 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2426412D4EA for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 17:56:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_Ja7rrgNVTs for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 17:56:03 -0800 (PST)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3AC81294D0 for <oauth@ietf.org>; Mon, 5 Nov 2018 17:56:02 -0800 (PST)
Received: by mail-it1-x132.google.com with SMTP id r12-v6so12985099ita.3 for <oauth@ietf.org>; Mon, 05 Nov 2018 17:56:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zrA8H9CfwBQ6vP93qLyFJkriax7nKpuIhMLzsQBxe5k=; b=OBXocpFvyExir8PqN3pnhYmaEUSPPV4oFn6QJucrO/bToNzyON3TFEG2tYWz9mLPTS 1f+xAUKNKqhe40lQwu3CkWzL68TZMx1YhkOJ0VJTvLaq8o9CVwjgTXYhhlpQSf98B+pm hex8eBXt1X7REp3Yi0OVI6ZPEV0sYQw+6X6+c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zrA8H9CfwBQ6vP93qLyFJkriax7nKpuIhMLzsQBxe5k=; b=Bh6O5K1N6FKNOILU4WJlSpahmVXpFfB5SVsdU0Dz/1b3/jGUaRdAw+TF4BBHiI62jT cNYhbzeFsX1ePZzHJqDMc1r0Kc268oxW+YeGYGuI7LSigYv1qlAgKnEeZ+vHh/QLN2+K TmLdbOg1Wdpl4ggSzthBSlvyBYxfW95h/lD8XzHo/ouMax5tHlzz72W1g1T297DxTa9E bMJxmHmBaYOQkpAXjirj6chxKm11JJte8slHRc1ZM4161nRhrtCo+HZv8gRZFxOZqeA4 M+WC5TeECqNHQBKyEzXceyDdaAlzuE2vrPuaidk+Wce9T9/ui197cGpmzHiadtxevbnH BvUA==
X-Gm-Message-State: AGRZ1gKHPm9DFAfKczlu50vbKAwbNpgrzga/r6HvlMkO9L6qnFRRD+MX erOXBlXfTTwIcOHUJD9ulQvfxieRe0YoDaLpBxkCQMQDm7v3Ph/xbXFYS0yx3YkmoIy5cVG8eXA S55dK4P+HA+z0Bw==
X-Google-Smtp-Source: AJdET5d+RupMCRa50fCP2hLQg3z7Vjg4ay6H4VltwZ6o7IQzMtJCnRywnJ8Wb3X/loQLdRnGZEWIRPXWpgtgRsjBxGc=
X-Received: by 2002:a02:128e:: with SMTP id 14-v6mr24325195jap.28.1541469361810; Mon, 05 Nov 2018 17:56:01 -0800 (PST)
MIME-Version: 1.0
References: <CAL841A_29YGLC-LtQcj1Mw15skys59V0DvDmyOpDS6V+x1LxWw@mail.gmail.com>
In-Reply-To: <CAL841A_29YGLC-LtQcj1Mw15skys59V0DvDmyOpDS6V+x1LxWw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 06 Nov 2018 08:55:34 +0700
Message-ID: <CA+k3eCSuU=3ENrYk75e5waGD7erKsf5mX1vT+wfjkqL76QomwQ@mail.gmail.com>
To: Evan Gilman <evan2645@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be4b000579f54db4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xXTL9iOLBSx6EPT-9hEyBaRfWsg>
Subject: Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 01:56:06 -0000
Thanks Evan for bringing this to the WG's attention. More or less the same
question/issue was raised yesterday in the area director's review of the
document as well. I plan to bring this up as a discussion item in the
meeting today. But my sense from some early discussions is that there is
likely to be (rough) consensus to make some change in order to allow a SAN
to be specified as the certificate subject identifier in the PKI client
auth mode. We'll need to figure out the specifics of how that works. I
don't think there are significant drawbacks to extending the number of
client registration metadata parameters per se. I guess I've just been
attracted to the idea of overloading the existing value because that felt
like maybe a less invasive change. But perhaps that's shortsighted. And
there's nothing inherently wrong with additional client metadata
parameters.
I don't know if we could get away with a single new parameter that could
carry the value for any SAN type. Something like, { ...
"tls_client_auth_san": "spiffe://trust-domain/path" ...}. In practice I
feel like that'd probably be okay but in theory there's the potential for
confusion of the value across different types. So probably there's a need
to indicate the SAN type too. Either with more client metadata parameters
like tls_client_auth_san_uir, tls_client_auth_san_email,
tls_client_auth_san_ip, etc. or maybe with a structured value of some sort
like {... "tls_client_auth_san": {"type":"URI",
"value":"spiffe://trust-domain/path"} ... }. And then deciding which types
to support and if/how to allow for the extensible types.
Anyway, those are just some thoughts on it. And it'll be discussed more
today. Suggested/proposed text is always helpful though (even if it's not
used directly it can help move the conversation forward and/or help
editor(s) to have prospective wording).
On Tue, Nov 6, 2018 at 5:53 AM Evan Gilman <evan2645@gmail.com> wrote:
> Hello everyone.
>
> Very excited to see this draft. It helps tremendously in addressing
> use cases around oauth client management in machine-to-machine
> scenarios. Particularly, the PKI authentication method.
>
> In reviewing the document, I noticed that the only supported method
> for identifying a client using the PKI authentication method is by
> referencing its distinguished name. This caught me a bit by surprise -
> many newer projects aimed at automating X.509 issuance in the
> datacenter utilize SAN extensions rather than distinguished name in
> order to encode identity. I am further under the impression that the
> community is, in general, moving away from the subject extension
> altogether in favor of SAN-based identification.
>
> Full disclosure: I am one of the maintainers on a project called
> SPIFFE, which provides identity specifications for datacenter workload
> applications. For X.509, SPIFFE encodes identity into a URI SAN
> extension. A number of projects using SPIFFE do not configure the
> subject with identifying information (SPIRE and Google Istio being
> just a couple). I am also hearing of other X.509 automation projects
> which are moving away from subject/distinguished name (even if they
> are not using SPIFFE).
>
> While I think support for distinguished name is absolutely necessary,
> I worry that supporting it solely will render it incompatible with
> some of the more modern PKIX systems and not stand the test of time. I
> know that I am a little late to this, and for that I apologize... but
> I feel this is a significant point.
>
> I would like to open a discussion on supporting the most commonly used
> SAN extension types in addition to distinguished name. To accomplish
> this, amending section 2.1.2 `Client Registration Metadata` with
> additional parameters seems appropriate. In my experience, the most
> commonly used SAN extensions are: DNS name, IP address, URI, and email
> address.
>
> Are there significant drawbacks to extending the number of client
> registration metadata parameters? I would very much like to see this -
> without it, many existing projects will be unable to use the spec. I
> am happy to contribute time and text to this, assuming people feel
> that this is a beneficial addition. Sorry again for the timing
>
> --
> evan
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
- [OAUTH-WG] Mail regarding draft-ietf-oauth-mtls Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Neil Madden
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Justin P Richer
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Torsten Lodderstedt
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Torsten Lodderstedt
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Evan Gilman
- Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-mt… Brian Campbell