Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
Dick Hardt <dick.hardt@gmail.com> Tue, 08 September 2020 22:57 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ECCC3A07EC for <oauth@ietfa.amsl.com>; Tue, 8 Sep 2020 15:57:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7PzmUYRcuLJ for <oauth@ietfa.amsl.com>; Tue, 8 Sep 2020 15:57:23 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D07473A07B3 for <oauth@ietf.org>; Tue, 8 Sep 2020 15:57:22 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id c2so976519ljj.12 for <oauth@ietf.org>; Tue, 08 Sep 2020 15:57:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=a3WGk+IrD09UNY2VXmZ5A48QRZ7RnA/GxgG95szirR8=; b=Kz2cyYYZfVnvPXWa/8b2rWSIHdsg4VPD9MLEoTtA5Cs//UhKfiEX7o4fRLBr1bvbXq AiIiseGFEiHwjMzHzYkkIOV6Edgn+POFlniLSOScUMSHzpD0jFpUmUpSMrxHzUUBcTPB Qu3dLv4BwUtRVXhfW9yLm8Dp4WBoCwNRkLKME8K1Q+NL3pGeh3yuhmCgJe2Lob3ZSEQc gg7ZBwagaBOMAa0LmYWvZjW7J4kR+pUn3H+SdCFi/ZYZS7zMXC9yfVtyKdge7l/v5/K3 1tBmuixaBoDgUOAPJDcRI4ytdDQ25gUF+rUwtGWJqSEotyetJu3G62HeP8I2zHivdbqi EW7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=a3WGk+IrD09UNY2VXmZ5A48QRZ7RnA/GxgG95szirR8=; b=oxcyGZM7IzCRwbAqXtDyzWWrKTHjKpwF0PBkNWgslOQ+dqzvbroqWRmH3AgvwDRVvQ svWZUp4f9ldd7Xd5/15N0dMhvfMw1YmOoOIviT8T+VTvlf6dUvVT9Vw8AnwWYADYUBCI QcCP3NY3fI9wbV6488yN8cKul2VRbFYDyFzt/rteTk+mih3vLWM/oETSmecUBnrFh3nF FxL/hjMZpAhFvbnIB0/OB0oXD9jpX4pPY5agKsBCpgH0VE2++WJRgzj5jDuvmvqgKVVs at8dH5ecnes5ytWhX94bV266+Wp02tRbrxbzKIyYKRR/xmtmRcIQQiG3R06pec5LTSmn Tpeg==
X-Gm-Message-State: AOAM5315QmWWr2QhdIZ2rzpzFqqVvOZfF4FhO1q9mbXCR1YAzobK0kXg NU+qdyNmKREaCMukbBrTjXTTbG3eCnVu3BzoctxyjtiEIik=
X-Google-Smtp-Source: ABdhPJwvuIw0bIQSWFuVrtyNJ9K5I6kzd1LXbi1TTtxIZGkJEQ7ZEKQ8T1GVFeimrrqD9rE9tpeR/pP5UsIuxd8IBh4=
X-Received: by 2002:a2e:b5a8:: with SMTP id f8mr361648ljn.246.1599605840894; Tue, 08 Sep 2020 15:57:20 -0700 (PDT)
MIME-Version: 1.0
References: <TY1PR01MB1466E7D4AF21EA5C56467E6AE5290@TY1PR01MB1466.jpnprd01.prod.outlook.com> <CA+k3eCRffzry_+GVieOcWs0RHqwo_XGgMTwx4LOCZFPioD_xdw@mail.gmail.com> <65ca9259-3095-9051-93b6-653e445acad4@ve7jtb.com>
In-Reply-To: <65ca9259-3095-9051-93b6-653e445acad4@ve7jtb.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 08 Sep 2020 15:56:44 -0700
Message-ID: <CAD9ie-t=OQkRh3tJ+s7SObQORAvZ1q=W+HaLLqAA2=5m9v1DsQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ed609205aed54166"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yaraGc5Mpco1nelR5LEukpC9BYA>
Subject: Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 22:57:25 -0000
+1 KISS ᐧ On Tue, Sep 8, 2020 at 3:55 PM John Bradley <ve7jtb@ve7jtb.com> wrote: > +1 > On 9/8/2020 7:45 PM, Brian Campbell wrote: > > Indeed there are cases, as you point out, where the key might be knowable > to the server via some other means, which makes the "jwk" header in the > DPoP proof not strictly necessary. And while omitting the key in such cases > would reduce the size of some messages (the DPoP proof anyway), such > optionality would add complexity to implementations and deployments (and > that kind of complexity can and often does degrade interoperability and > even security). How, for example, would a client know if the access token > includes the public key and thus whether or not to include the key with the > proof? Sure the access token could always include the key (rather than > thumbprint) but then there's the question of how to get the key to the AS. > As well as the stated desire to utilize the same DPoP Proof structure for > requests to both the AS and RS. There will be some clients that have public > key(s) registered and some that won't (maybe a lot that won't as a driving > use case for many for this is key binding access and refresh tokens for > public clients). The protocol defined by the draft needs to account for > both. > > Ultimately there are a number of different ways the necessary data could > flow through the various protocol elements. And there are some tradeoffs > with different approaches and/or trying to accommodate variations under one > approach. The approach the draft has taken thus far is to prioritize > consistency and simplicity as much as is possible. And that ethos has led > to how it's currently defined, which is to always include the key in the > proof and bind to a hash of the key in the access token. > > > On Tue, Sep 8, 2020 at 3:29 AM <toshio9.ito@toshiba.co.jp> wrote: > >> Hi all, >> >> In section 4.1 of draft-ietf-oauth-dpop-01, the "jwk" header parameter is >> REQUIRED. However, there are some cases where "jwk" is not necessary in >> theory. >> >> For example, consider a case where the client is registered with the >> Authorization Server, and its one and only public key is also registered >> with >> the AS. In that case, when the AS receives a request on Token endpoint, >> it can >> just use the public key registered for the client to verify the DPoP >> Proof. >> There is no need to send the public key in DPoP Proof. >> >> The same goes for requests to the Resource Server, if the AS and RS share >> the >> storage for clients' public keys. Things are a little difficult if the AS >> and RS >> are separate. Probably the Access Token or its introspection result have >> to >> include the public key (instead of its thumbprint as described in section >> 7). >> >> If the client registers multiple keys with the AS, it needs to specify >> which key >> it uses to sign the DPoP Proof. However, there is still no absolute need >> to send >> the whole key in DPoP Proof. Instead, the client could use "kid" header >> parameter to specify the key. >> >> Daniel Fett once mentioned the above case in the GitHub issue #26 [*1], >> but I'm >> not sure what happened to the discussion. There was also a comment on the >> latest >> draft about the "jwk" header parameter [*2]. I agree with using the same >> DPoP >> Proof structure for requests to AS and RS, but I think there are some >> cases >> where we can omit "jwk" in BOTH requests. Making "jwk" OPTIONAL would >> allow >> those cases to reduce some messaging overhead. >> >> I'd like to hear your opinions about it. >> >> >> [*1]: >> https://github.com/danielfett/draft-dpop/issues/26#issuecomment-480701746 >> [*2]: >> https://mailarchive.ietf.org/arch/msg/oauth/smwsONA6c4H2UICcZMzb8Yv2QRc/ >> >> >> Best regards, >> Toshio Ito >> >> ------------- >> Toshio Ito >> Research and Development Center >> Toshiba Corporation >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Omit "jwk" (or use "kid" instead) in D… toshio9.ito
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Takahiko Kawasaki
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Brian Campbell
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … John Bradley
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Dick Hardt
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Neil Madden
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Filip Skokan
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … toshio9.ito
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … toshio9.ito
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Brian Campbell
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Dick Hardt
- Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) … Brian Campbell