Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt

Brian Campbell <bcampbell@pingidentity.com> Wed, 02 August 2017 15:42 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29635131C33 for <oauth@ietfa.amsl.com>; Wed, 2 Aug 2017 08:42:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jB8TOi9ej8z for <oauth@ietfa.amsl.com>; Wed, 2 Aug 2017 08:42:30 -0700 (PDT)
Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com [IPv6:2607:f8b0:400e:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3058A124B18 for <oauth@ietf.org>; Wed, 2 Aug 2017 08:42:30 -0700 (PDT)
Received: by mail-pg0-x230.google.com with SMTP id v77so16992134pgb.3 for <oauth@ietf.org>; Wed, 02 Aug 2017 08:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zxxM+GqE4nanp2fm1madTtRNlbNQhrG4n/Blf7sy0HQ=; b=Rl9mSaDUqutwTVGImO8bmyb7HRtNzfa9nm29gXIwjn/YKW6dQNRsS6LoDKR8PefdXH i4Z3PCsmKIpn8BqOBdych4JOLg9opCZT/rBHkZenmkASf/xUTo/odOVi+xF4J770Sjwf F/LVpKqMZHUaH7G8edb0n1sCCS3444ZQ16yuM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zxxM+GqE4nanp2fm1madTtRNlbNQhrG4n/Blf7sy0HQ=; b=f2OAlz+QUWjQ+gEdjl0DC3WOrYYRlyk1bIcyYCvM76O02mu6UthIjyOTk5eclxSrX+ w7JNuszBBhBhHj/h43bSKId98H9Y/Vhf+TxmyesdPVUcG/QVh5HGkzfNA2++E7NP5ouc ZGV8/k5tp/sEZDpw2x1t9sU3iZKlb74DpvGCaAbPXol2RL15wzR1NvM70wL3xmDx+1Vw rWw8VDZRIp7XMQU0BUcPhl4xIulSCWfaW2zBpXdSTHKuu0s9zAkOsh9ymEQp8r3DtXAy nLpZKENJH+3X8g8ca4kY6Rw/VGvePFB/TGqn7ZxFvndIJdF17Cc82pje+xcisOuf7Oxh g7fA==
X-Gm-Message-State: AIVw111QTT3+qEynmRrxbKiVD837xNw1CjYmH6cROgnNNymZvrE112ox ouXp6kraoj3o3PtTxxAuBw4ACnQoJSZMaAqGxuG8GdYz50dRHCE3g+rIM/JXkycw8fT5+fv8mgY uASXK
X-Received: by 10.99.97.69 with SMTP id v66mr8665227pgb.332.1501688549603; Wed, 02 Aug 2017 08:42:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.182.230 with HTTP; Wed, 2 Aug 2017 08:41:58 -0700 (PDT)
In-Reply-To: <4d8af659-bbae-5abc-982c-a42d300bc5f9@connect2id.com>
References: <150126635076.25225.3854025136006448469@ietfa.amsl.com> <CA+k3eCThoxNM394K=it4vCL2k-BW68Lg73eTN=4Z3LrupbXtVw@mail.gmail.com> <AC43222A-BE6A-4577-9BFB-713054211E6A@mit.edu> <CA+k3eCQQOBDz-z4MOenOLLfgMqQ7kzdYg3VvpPH00Hdx092sAA@mail.gmail.com> <4d8af659-bbae-5abc-982c-a42d300bc5f9@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 2 Aug 2017 09:41:58 -0600
Message-ID: <CA+k3eCRt9Cpa1qVjCfE7ZUpEWtMSnq2UNeJn1eGceA3JSu=01w@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0cc59c9026070555c71c86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xqEVLMA65x0C9sAZt1rHMfduKIU>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 15:42:33 -0000

A fair suggestion and we'll see what can be done to make the distinction
more clear.

On Wed, Aug 2, 2017 at 2:02 AM, Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> In terms of structure, I would like to suggest giving PKI bound auth and
> pub key bound mTLS auth their own sections, instead of having them in
> one section (2.1 as it is now).
>
> The two methods are distinctive enough, and implementers should easily
> recognise they can implement just one of them.
>
> Vladimir
>
>
> On 01/08/17 22:57, Brian Campbell wrote:
> > Thanks Justin.
> >
> > In my original announcement email, I should have given credit to Torsten
> as
> > he made many of the updates in -03. So complements on improvements as
> well
> > as blame for issues can be pointed to him as well!
> >
> > Your point about document structure is taken and we will look to make the
> > separation of the client authentication and resource access more clear in
> > future revisions. The document was aiming for something conceptually
> along
> > those same lines already. But it could be made more clear.
> >
> > This could define a new “token_type” but other than having different
> token
> > type names in messages, I don't know that a new token_type or HTTP auth
> > scheme that would probably have to come along with it adds value to the
> use
> > cases here. However, they would very likely make deployment of this stuff
> > much more cumbersome and take longer.  Whereas many systems can likely
> plug
> > in mutual TLS on top of the existing token_type and HTTP auth scheme
> > without major changes. I'm strongly inclined to not introduce a new
> > token_type and more inclined to not do a new HTTP auth scheme.
> >
> > Fair point about breaking out all the registered parameters into their
> own
> > hanging list items. It is somewhat inconsistent in that regard now. Will
> > look to address that in a future revision.
> >
> > Using just a certificate hash for mTLS sender constrained access tokens
> was
> > intentional to allow mTLS at the resource to be used as a
> > proof-of-possession method only. It's part of the authorization check at
> > resource access and deliberately not about authentication with the RS.
> > Using the hash simplifies the check at the RS to one consistent way of
> > doing things while allowing for different modes of doing client
> > authentication at the AS. So the lack of parallelism with the client
> > authentication at the token endpoint was very much intentional. Following
> > from that, the need to do mTLS at the token endpoint in order to get
> > mTLS-bound access tokens for an RS was also kind of intentional. Though,
> as
> > §4.3 <https://tools.ietf.org/html/draft-ietf-oauth-mtls-03#section-4.3>
> > attempts to describe, a public client could do mTLS at the token endpoint
> > with a generated self-singed cert to have an access token bound but not
> > actually authenticate to the token endpoint. You are certainly right that
> > there are other ways an AS could decide on the certificate to bind the
> > access token to. And other ways a cnf claim member could provide for
> such a
> > binding. But we were aiming to not provide too many options in the doc.
> So
> > my thinking here was that this draft is about mTLS and so saying how to
> use
> > mTLS for the AS to do the access token binding seemed like the most
> > appropriate and straightforward approach. It's not so much that mTLS
> > authentication is needed for the client at the token endpoint to allow
> for
> > bound access tokens. But rather that having mTLS at the token endpoint
> > provides a strong signal of the certificate to which to bind the issued
> > access token.
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Jul 31, 2017 at 2:18 PM, Justin Richer <jricher@mit.edu> wrote:
> >
> >> Brian, thanks for the update. This is really coming along!
> >>
> >> I think the spec would benefit from a more clear separation of the
> client
> >> authentication and resource access sections. They’re really almost two
> >> different but related specs, but there’s enough overlap that I think
> that
> >> keeping them in the same document is fine with some structural changes
> >> applied. I think the content is by and large all here, it’s just jumbled
> >> together.
> >>
> >> To that end, I think there might be three major sections to this
> document
> >> (not counting the IANA, security, privacy, and other boilerplate bits).
> A
> >> suggested breakdown:
> >>
> >> 1) Types of mTLS client auth under consideration. This is where the
> >> definition of public key vs. pki comes in, and where the two
> authentication
> >> methods are defined for both registration and discovery. Some
> implementor’s
> >> notes on what kinds of things you need to store here, including the
> >> tls_client_auth_ client metadata extensions. For better or worse, 7591
> >> defines OAuth’s client model, and not just for dynamic registration.
> >>
> >> 2) How to use mTLS to authenticate a client. This can be a relatively
> >> short section that says use (1) in the context of getting an access
> token
> >> at the token endpoint. Here is where you point out that you still need
> to
> >> send client_id and that the association with the cert’s DN and the
> >> client_id is done at the AS (there’s existing text for this).
> >>
> >> 3) How to use mTLS to bind an access token. This is a bit more
> complicated
> >> because it’s the RS that needs to know the binding between the token and
> >> the cert’s DN, so that’s where you’d define the “cnf” stuff. An
> unfortunate
> >> side effect of spec history means that the “cnf” claim for 7662 also
> gets
> >> defined here. This is also where you’d put the bits about
> >> mutual_tls_sender_constrained_access_tokens for discovery and
> >> registration. Should this be a new “token_type”?
> >>
> >>
> >> A few more comments:
> >>
> >> §2.3 really should break out all registered parameters into their own
> >> hanging list items (even if you break them up into different sections
> like
> >> suggested above)
> >>
> >> §3 seems to say that you can only do mTLS-bound access tokens at an RS
> if
> >> you do mTLS authentication at the token endpoint. Is that an intentional
> >> restriction? To me these two functions seem to be more orthogonal than
> the
> >> spec is hinting at. Like, I could use private_key_jwt or PKCE or magic
> to
> >> authenticate at the RS but use mTLS at the RS, for whatever esoteric
> >> reason, like the AS and RS being in different security domains. Still,
> >> functionally, if the client’s registered parameters are enough to trust
> for
> >> token issuance, they should be enough to trust for token usage. In other
> >> words, have the RS depend on tls_client_auth_subject_dn etc. instead of
> >> "the same certificate that was used for mutual TLS at the token
> endpoint".
> >>
> >> Along those lines, §3 also depends entirely on matching a specific
> >> certificate hash instead of validating a certificate (and possibly it’s
> >> chain) and associated DN. This isn’t in parallel with the client
> >> authentication at the token endpoint, and I’d like to see these come
> >> together. Should we have a third certificate validation method in §2 for
> >> “certificate hash”? Or maybe we should have a separate list for
> >> “resource_server_auth_method” for the client?
> >>
> >> In any event, it still feels like there are two things that are fighting
> >> for attention in this spec: cert-based authentication of the client at
> the
> >> token endpoint, and cert-based PoP of the token at the resource.
> >>
> >>  — Justin
> >>
> >> On Jul 28, 2017, at 2:33 PM, Brian Campbell <bcampbell@pingidentity.com
> >
> >> wrote:
> >>
> >> A new draft of "Mutual TLS Profile for OAuth 2.0" has been published
> with
> >> the changes listed below based on comments and dissuasion in Prague.
> >>
> >>    draft-ietf-oauth-mtls-03 <https://datatracker.ietf.org/
> doc/html/draft-ietf-oauth-mtls-03>
> >>
> >>    o  Introduced metadata and client registration parameter to publish
> >>       and request support for mutual TLS sender constrained access
> >>       tokens
> >>    o  Added description of two methods of binding the cert and client,
> >>       PKI and Public Key.
> >>    o  Indicated that the "tls_client_auth" authentication method is for
> >>       the PKI method and introduced "pub_key_tls_client_auth" for the
> >>       Public Key method
> >>    o  Added implementation considerations, mainly regarding TLS stack
> >>       configuration and trust chain validation, as well as how to to do
> >>       binding of access tokens to a TLS client certificate for public
> >>       clients, and considerations around certificate bound access tokens
> >>    o  Added new section to security considerations on cert spoofing
> >>    o  Add text suggesting that a new cnf member be defined in the
> >>       future, if hash function(s) other than SHA-256 need to be used for
> >>       certificate thumbprints
> >>
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: <internet-drafts@ietf.org>
> >> Date: Fri, Jul 28, 2017 at 12:25 PM
> >> Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-mtls-03.txt
> >> To: i-d-announce@ietf.org
> >> Cc: oauth@ietf.org
> >>
> >>
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts
> >> directories.
> >> This draft is a work item of the Web Authorization Protocol WG of the
> IETF.
> >>
> >>         Title           : Mutual TLS Profile for OAuth 2.0
> >>         Authors         : Brian Campbell
> >>                           John Bradley
> >>                           Nat Sakimura
> >>                           Torsten Lodderstedt
> >>         Filename        : draft-ietf-oauth-mtls-03.txt
> >>         Pages           : 17
> >>         Date            : 2017-07-28
> >>
> >> Abstract:
> >>    This document describes Transport Layer Security (TLS) mutual
> >>    authentication using X.509 certificates as a mechanism for OAuth
> >>    client authentication to the token endpoint as well as for
> >>    certificate bound sender constrained access tokens.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-oauth-mtls/
> >>
> >> There are also htmlized versions available at:
> >> https://tools.ietf.org/html/draft-ietf-oauth-mtls-03
> >> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-03
> >>
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-mtls-03
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> >> submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> Internet-Drafts are also available by anonymous FTP at:
> >> ftp://ftp.ietf.org/internet-drafts/
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> >> privileged material for the sole use of the intended recipient(s). Any
> >> review, use, distribution or disclosure by others is strictly
> prohibited.
> >> If you have received this communication in error, please notify the
> sender
> >> immediately by e-mail and delete the message and any file attachments
> from
> >> your computer. Thank you.*_________________________
> ______________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*