Re: [Txauth] XYZ vs XAuth: Client Authentication / Proof of Possession
David Skaife <blue.ringed.octopus.guy@gmail.com> Fri, 20 March 2020 21:03 UTC
Return-Path: <blue.ringed.octopus.guy@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8423A0E3A for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooHSK8fZ6Jil for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:03:10 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 110F63A0E39 for <txauth@ietf.org>; Fri, 20 Mar 2020 14:03:10 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id a20so8796601edj.2 for <txauth@ietf.org>; Fri, 20 Mar 2020 14:03:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=52LsSwYufzgSwPlvOfT4STK6YQFtfEUuAZynWnu4jCY=; b=YH+yuGjgwZy87vNtzvGZLARG7mbXPqivB4EMw4L3zGhoCIXYTiV4iRhAF2SRVIc3SW 16CP1qnP8maQOmla0Bn0ibNN6hP4u5jAFNKHdLNmlhUwWTPM1OD6PnDpYGwo18viA259 NEESmIp+02sbiJJ7gAXU1Amwwp6XdSNjTEwpTx1sWxLqr9SF90ca/KubWKXwNBge5c3Y pB1YAQ+7+NtrjjE7ZMWHnAPuiMYlS/Y0bA0tDqJL7JKiUuImC0nIJqmdq5sraieDAAF8 4/1o5mTzpEQLX6VWYl3t+wwD/sTB6anAPjWiM+uQRjWIizOL5L/H0KqJaN8SBt3ZW7SA qSyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=52LsSwYufzgSwPlvOfT4STK6YQFtfEUuAZynWnu4jCY=; b=ZpHDNDZsFIOoxn9T9qqSYVvDR/avxj6fPDcNv7bWha/ZCXycubYtozsczIoPDaIMwq AhpbP6c7RHZwYcuyBN+wA+QR4Gz3UuRsnLt6XrjiRuH3Anmzv47AO8rkDz0+c0mGOIEY s4Y00/mpNpgW98n5+lize3r5Ndx11JMjOLrFn379JNK+o874DsE91KHqkIfs2g0rjnP5 UspzQKX7QACb6zTU7kdN7/tJfi6DYJnQHl0HWn6uD3BLKzJfslSI+P1r1E/nXf1KcteC rU4fairizjqz7SMxuS2Qcym4hXUkPlam5NXMrsMb47BVwtaFkStTFw+g1nZKCbl1qUB9 Yz7Q==
X-Gm-Message-State: ANhLgQ18i3+C5kMksNDjY6iL1naMUcIY6JCKqwvJuhDMnIq4b+81jgP4 1Rh0/aXXuEy3t6lmTnoSDO/9ooCX/dn/M5TdDbfcjU3hqms=
X-Google-Smtp-Source: ADFU+vvo+up7qE+jKhly4gAjzSBctLjW+a9r0Uhhs1SDfd2dCPzECAr7D9zqUkM9fxFzwBdvK1+GfYQt+sYgJzU8aXY=
X-Received: by 2002:aa7:cf01:: with SMTP id a1mr10147318edy.282.1584738187502; Fri, 20 Mar 2020 14:03:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s2mb_OKEjt-x3uwBB2gmEzMXKrZKg4necVFJQUosb=CA@mail.gmail.com>
In-Reply-To: <CAD9ie-s2mb_OKEjt-x3uwBB2gmEzMXKrZKg4necVFJQUosb=CA@mail.gmail.com>
From: David Skaife <blue.ringed.octopus.guy@gmail.com>
Date: Fri, 20 Mar 2020 21:02:57 +0000
Message-ID: <CAKiOsZu92JZatwCT840U405aQMoXWWcVXZmMc2gxH-mzr8oiiw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: txauth@ietf.org, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000ba662205a14f9c31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/1VRhL5CTcGkl2d6klaMDgpoxK-4>
Subject: Re: [Txauth] XYZ vs XAuth: Client Authentication / Proof of Possession
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 21:03:17 -0000
Hi, As requested by Dick in the parallel email chain, I'll see if this response can start to kick off some discussion. If I'm understanding this correctly, then the main difference here is the debate around whether to have a "default" authentication method or not. Both XYZ and XAuth appear to support having multiple different authentication methods that the client can use (which I certainly agree is sensible), but for XYZ this is part of the "core" protocol, whereas for XAuth it's more of an extension. My view is that I don't think the argument "*choosing one auth method as a default makes too many assumptions about client’s nature and deployment capabilities*" is necessarily a valid reason to avoid having a default. Having a default perhaps makes assumptions about the most *common* use cases and the most *common *clients, but it certainly doesn't prevent other more niche clients and use cases from being able to use the protocol. I share the concern raised in the XAuth rationale text that not having a default mechanism places a burden on the clients to choose, which may be off-putting or a distraction for some newcomers. I do however think the availability of different authentication methods should be part of the core protocol, to encourage each AS to implement as many different methods as possible - which it would be in there interest to do so as it would enable the AS to support more use cases. So in summary, I'm in favour of the protocol supporting multiple different authentication methods as part of the core protocol, but my preference would be to have a default selected if the client doesn't want (or need) to choose anything different. I don;t think having a default would be restrictive, and I think when the protocol is eventually launched/standardised in the future we'll have a clear view of what that default should be to ensure that it's aligned to the most common use cases. Many thanks, David Skaife On Mon, Mar 16, 2020 at 11:06 PM Dick Hardt <dick.hardt@gmail.com> wrote: > > *Client Authentication / Proof of Possession* > XYZ > - client proves use of bound keys via general-purpose mechanisms, > including detached JWS, DPoP, OAuth PoP, HTTP Sig, and MTLS > - RS access via bearer token or proof-of-possession through any allowable > key binding mechanism > > XYZ Rationale: choosing one auth method as a “default" makes too many > assumptions about client’s nature and deployment capabilities. AS should > support as many as it can (and possibly have an MTI requirement), client > supports whatever method makes the most sense for it. PoP mechanisms for RS > should be independent of mechanisms at AS. > > XAuth > - client proves use of bounds keys through an auth mechanism at GS > - specifies default mechanism using JOSE for GS and RS proof-of-possession > calls > - RS access via bearer token just like OAuth 2.0 > - extensions can define other mechanisms such as HTTP Sig or MTLS to > replace JOSE for either GS and/or RS calls > > XAuth Rationale: having a Client Authentication mechanism defined and as > default removes burden of selecting mechanism for most deployments, and > ensures interop. > ᐧ > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] XYZ vs XAuth: Client Authentication / Pr… Dick Hardt
- Re: [Txauth] XYZ vs XAuth: Client Authentication … David Skaife
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Vijay IETF
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Tobias Looker
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Dick Hardt
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Dick Hardt
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Vijay IETF
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Dick Hardt
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Justin Richer
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Vijay IETF
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Dick Hardt
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Dick Hardt
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Yaron Sheffer
- Re: [Txauth] XYZ vs XAuth: Client Authentication … Vijay IETF