IETF Logo Mail Archive

[OAUTH-WG] Re: Call for adoption - PIKA

Michael Jones <michael_b_jones@hotmail.com> Mon, 16 September 2024 19:52 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A568C1CAF4D for <oauth@ietfa.amsl.com>; Mon, 16 Sep 2024 12:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkK1BV9OxxSA for <oauth@ietfa.amsl.com>; Mon, 16 Sep 2024 12:52:32 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12olkn2089.outbound.protection.outlook.com [40.92.22.89]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 574AAC1519AC for <oauth@ietf.org>; Mon, 16 Sep 2024 12:52:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PAS6GZ+YQWTOpinz/OCFoZXzSk4AAX8aOVdQK5GXat71Qnncs4mUl7SQ3a9/sRCkT8yHB9h5lhI1LyRh0Yd06o0mtQoYuSNshLgrBT2V1I/nbmKRSiG7mv1ps+mpklQZCVazmrsf6/skoMu81cYU4NyNGLIeFNVhqPno4s1m8NKVqdpjUP0rHyh6urG8vAmXZqvOSB3J439K3hZoWKE7hYag+OBBboIa7HJ9A6Fk6yJqJLuY8aiclCB9Rnw56urt2a5k2YxZuFdavOuOYyV4MhBDxavhfDZAAY+TNIUsqJDhSdhf3OqyoaqCWy05zCMj1aPJ8hsO37yLPlkIwt/CpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ljuCnxFG7Fh6kV9/j7CbE66X41pwP+qyfxCKMyrJOZ0=; b=HYR0T26ywcrweu+066NxrEpt3mp7KJao0fL9WUJlG6PqWgNFydxjEq2FsQTrBc1Xln5EM1F1wjIK1YgKWNaDlJnnVxbL4YTx1LEPsxDjWoB+9qNf4EEo5iIcd+wf0GQwJNyj0DbrWZWJyqMtDSMA/30iL+rztcyLDHH9F2dzCmZGwm7bL6cJa4eiiHdGBz4kV7oS3cojp++UoAq24UvspNASbiGJt5Su3XZwze8uJRRZjbdbDERTpnQdRNIh242YhyOlnka0dZoXu1Xkbtq7z/RHMJlnQHyXywMckTiPlvTEh920kkLUARuHdLpIXjBjVXl1SJrebGin74tUjoZsTA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ljuCnxFG7Fh6kV9/j7CbE66X41pwP+qyfxCKMyrJOZ0=; b=cZTmr42KJ5Yw9/fr51NgHVUdxh0sHCfZgQOLy2qBBcBqrBeEfd9UX/jxU+rD64RRMnI3Bbfsh4Q4n/mo2E/mJpFsmA09k2Z6xuc5HfjNgIH5D/VXRChTqRmKo+WBlDpBjvMAn02OCaKCeZoWgE13jDjDSJCwdJNbF0tpmHye23mCZ+rrd5KEW7+ZdmwL56nmHC14+kyLaitV1E3suTD1JSoEVFYMsH7xHD1KduMLryewx6d8KIhSE9G9K3NVpGs1TnPim2ZGdmzwjYlt9HNTOtJgxkVD7eCFagYCNHkQQ6DWDBaBxTpzPrCZmYuNF2rfKoIBDojGHZkBxtL2XwSYbw==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by CH0PR02MB8105.namprd02.prod.outlook.com (2603:10b6:610:10a::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7962.24; Mon, 16 Sep 2024 19:52:29 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.7962.022; Mon, 16 Sep 2024 19:52:27 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption - PIKA
Thread-Index: AQHa/e8DXAMcsNXb9ECfnnVhhFkZ3LJaqitQ
Date: Mon, 16 Sep 2024 19:52:27 +0000
Message-ID: <SJ0PR02MB7439153AD9ACAC9C1C5563A4B7602@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CADNypP80YnzxOc_NDbFqK0bv=i0Ys1s8hYHwo-PqhUPbAWs4sg@mail.gmail.com>
In-Reply-To: <CADNypP80YnzxOc_NDbFqK0bv=i0Ys1s8hYHwo-PqhUPbAWs4sg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|CH0PR02MB8105:EE_
x-ms-office365-filtering-correlation-id: 4a978d99-c13b-4969-aa35-08dcd6891778
x-microsoft-antispam: BCL:0;ARA:14566002|15080799006|9400799024|7092599003|461199028|12050799009|8060799006|19110799003|102099032|1602099012|4302099013|3412199025|440099028;
x-microsoft-antispam-message-info: 8AnNhUCZjuFuxmc1/wWQS2Q/Pz9e1bDiOXT4FfRJuFSEIajx2Y/6zqa2/299xiE/FOMvFxXF8KD6Fhlpy3x7GCqb/3Ba30kEYHZS8mTRZtLe3FwH0DWuhri9RE4knFwn6bzNiIY+sjmYBHYZewaoKEoEeZRnDl+G0dLWDqOFiHr1k/BXENpvw9dGjFmpoAcgLpQYQvezKRTtf4QVY/38msJ+MVkPXiBAKmzCJkoQz25+nDtiViBekkUknVIPeFpHypYQXBRXuhXya1nlLzInUpoGSFAJ45HAxVGr93xwcmv1MZZ52HxqEwPS37Yao9OvtcKoQuNwsyCe+wDe/9/zVT1HkGRHbuqa0BCc1t2yaF4Q4CmpiFsdyMC/LtvyOlNDWkB7sNUv2Pg9iqn0xjyV4lRc8l8xvkHfGT+FchUkO/t0MGDhtMd4SkNPLPIDp/lgK5mttAA9AKr75vpAy7EO0Nu9uTjCXclClUV676WFCKItfxS3DZAuN/+QFLHKKoKiCuqWCStBmShuaS7+dOSSx4zFCzILdDuKyWRH4aEnsftn6FgbltaA7Emt3JR/uQfkqlA7TysK8wQua99tcImdS4yx23i1Ce1k6F5ExC0gmpsmOxspzdTqw/xMYdcgvMzeup9D1DC3oFp9+3oHHyBpvRESrfEM+Dodzt5qzjQOUFfLmdQ03JcMXP8dFi7WLh9AFqaJmdnd25kwyHs3pZTETW/8SVuMPBknXnT3823aRB0wJlZwBWpL8aTEK9r8Efr1xg2lL5pv67aFGJhhbHINe22vsysb0GbzOU9suHlnCR1Wn4oHv98wvPZNfpsGZCWlHDNRkXpL28J931fW/45i4RWNv/io09XfwTi9hQiuLBFDfx+5e4TlUmlwP4iOE7vv5IOPeC8ItudADkaIyzinwGkqhVmWhFBxsoyrl+7Rk2nnKUtRH3BHL0BozAuhVVK/
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UDWyiokwYBgVgyzWY7Qqep6e2bip4V7IgllP4SIayDRwoVpX3xLLyZXRZ6VQKM6+PEmFvaIVDphqotsV1dgwuqqTsKyj5BGSeVeXuGLD8MbfhP57lehYxS1oWoRTJt3LcsTvPpIOydvBIL0XcTQrVBLBJUZyGC+hhkUvPFk2uQlzKrewDAMKksX8Jd/km5BYCyYHrAVrKteNx1hoCaW7ByC3ZwQrKkmtjrA2HJHsLK3MB5HB7a11NYwhTaVgk9YLagF9wKKdI2rflkJfmon6oQI98YdFKK78eZmqmZ767Jl8zIQfGnTlepzeozhB8NXO8nzRnwGHOE+5tl6HNLFs48Y/VGEZs2CnQQGoL+FTR1mcGAI7QuWe+mtsjXg0nrCmmKTm/R2qZqMPK1q9n38TR3kwzTNmfTE4JFu/U6/pzNj9vDved2uFoOt1c8vvJJosA95Yj7Imo89PVCdtvKzZYjFK+4Xn0E7pTADH6Ln9o60Pt4CYT0GksqvPlOW1pi6zRiVz/sTReUgngmk/zjjzt8S3GKCHh67WPn8IKOPpMWQWVzjgg34Bw30h0Z6QVvAumC+Iha8iyrbujrvX+6aFzZUEERURAFhFbh6bCN+miq+9bGKukg8dFtBVZAobqImFGfYwLy3pInkm/JbCrneslWjMV/Fx1eUwZcV6gTwkQDZDzuyGXEG57o24ZYbKvTgYBDgo333AaisZYVovVhPZytS5J/yUXhOFQFyziY05W3bGtGCYUqkuC1JbGKgR78s0uDryNuyKlvMF37jfMaEZMZ7p/+BjM4oDugzDaI1i4UXTMOtBiufhpGom1LPcQdxPJsJmnl9OXmBYiAEHpbBOLYWHzOrpQdv/apsyvECckFyjOzdTMb77+Z+LBgfXgNH/pfpmHP/28/BPIDaHIs6deatI1QIWbcbxlv1ja+XbYrcQs1EE4ec/CwkV1lNAHzA2xZwO99Jhixf4TmUwJ8GpTCECCLHE+CAsCQdIFGeVLKghMeBm6lutb+XEhy3roZF/iGFUY91mWn1lphqmuSMGWwqAR4dEJECpmZQjUUnRrrom4e/0E4rs+jB1kY+ktyDW4aadHDZcAvhS4PIIF7xvDc3M7FUE3J6/WBeAwvV4bRqqlyZRQEuVdl8roLcxMezLMAQfiKAGe/I90BRD/MOpborKdPWYQer317TpzFaJSbrS3N6nVhFh2hFpBQXmw6WZakNX2cKGqIzcPq3/t3tOpEtPf7WKmkEF551g55UgcFM=
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439153AD9ACAC9C1C5563A4B7602SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a978d99-c13b-4969-aa35-08dcd6891778
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2024 19:52:27.1814 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR02MB8105
Message-ID-Hash: MHD5EIGKK37XN7F3O7GAWRDSKJLQEOBP
X-Message-ID-Hash: MHD5EIGKK37XN7F3O7GAWRDSKJLQEOBP
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - PIKA
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xlSvT3w6N0G5yjQFOs1iZhvv20Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I regret to have to report that the issues that I believe resulted in the first call for adoption failing, despite being discussed on-list and at IETF 120, have not been addressed in the specification<https://www.ietf.org/archive/id/draft-barnes-oauth-pika-01.html>.  I did have a productive conversation with Richard in Vancouver, which resulting in him mentioning some of the problems in his presentation<https://datatracker.ietf.org/meeting/120/materials/slides-120-oauth-pika-01>.  Here are the problems that have not been addressed since the first call for adoption:


  1.  Application-level use of PKI trust chains.  As I wrote in my response to the first call for adoption<https://mailarchive.ietf.org/arch/msg/oauth/rPPI9E8fwN1NiMM1TkaQUfFYEDI/>, "Other than for TLS certificates, the OAuth and JOSE specs generally steer clear of dependence upon X.509 certificates.  Especially for a spec focused on JWK Sets, it's odd to require an X.509 certificate to secure them."  This problem is acknowledged in Issue 1 of Slide 7 of Richard's presentation<https://datatracker.ietf.org/meeting/120/materials/slides-120-oauth-pika-01>.  As I also wrote<https://mailarchive.ietf.org/arch/msg/oauth/zvIsbxHTFC4YXozOgOfQutR6GN8/>, "application-level X.509 ... is an anachronism that OAuth and JOSE have moved away from".
  2.  Reuse of keys intended for one purpose for a different purpose.  PIKA uses WebPKI keys for signing things that are not Web resources.  Key reuse is not a good security practice.  This problem is acknowledged in Issue 2 of Slide 7 of Richard's presentation<https://datatracker.ietf.org/meeting/120/materials/slides-120-oauth-pika-01>.
  3.  Authorities with paths not secured.  In OAuth, authorities such as issuers can have a path component in their URL.  But the spec says "The contents of this field MUST represent a certificate chain that authenticates the domain name in the iss field" - meaning that the path component of the issuer is not secured.
  4.  Odd hybrid of JWKs and X.509.  The spec uses both JSON Web Keys and X.509 certificates in the trust evaluation, which is an odd intermixing of technologies with overlapping purposes.  Architecturally, it would be cleaner to go all in on one or the other.  This is evident in Slide 5 of Richard's presentation<https://datatracker.ietf.org/meeting/120/materials/slides-120-oauth-pika-01>.
  5.  Upgrade path not defined.  As Slide 7 of Richard's presentation<https://datatracker.ietf.org/meeting/120/materials/slides-120-oauth-pika-01> says, "Need to make sure that systems using PIKA have a clear upgrade/interop path to alternatives to application-level certificates (e.g., OpenID Federation)".  This is a point that I know John Bradley made to Richard in person in Vancouver.  This problem is not addressed in the specification.

I'm also personally uncomfortable with the direction of travel embraced by this specification.  For over a decade, we've been consciously working to move OAuth away from X.509 and towards JOSE and this specification goes in the opposite direction.

As documented above, these problems were discussed and acknowledged.  Therefore, it's disappointing to me that the updated draft didn't address these previously identified issues.

Therefore, I believe this specification should not be adopted, as the problems that caused it to not be previously adopted have not been addressed.

                                                                Sincerely,
                                                                -- Mike

From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Sent: Tuesday, September 3, 2024 3:47 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Call for adoption - PIKA

All,

As per the discussion in Vancouver, this is a call for adoption for the Proof of Issuer Key Authority (PIKA) draft:
https://datatracker.ietf.org/doc/draft-barnes-oauth-pika/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by Sep 17th.

Regards,
 Rifaat & Hannes

v2.37.1 | Report a Bug | By Email | System Status