IETF Logo Mail Archive

Re: [Txauth] XYZ vs XAuth: Client Authentication / Proof of Possession

David Skaife <blue.ringed.octopus.guy@gmail.com> Fri, 20 March 2020 21:03 UTC

Return-Path: <blue.ringed.octopus.guy@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8423A0E3A for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooHSK8fZ6Jil for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:03:10 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 110F63A0E39 for <txauth@ietf.org>; Fri, 20 Mar 2020 14:03:10 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id a20so8796601edj.2 for <txauth@ietf.org>; Fri, 20 Mar 2020 14:03:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=52LsSwYufzgSwPlvOfT4STK6YQFtfEUuAZynWnu4jCY=; b=YH+yuGjgwZy87vNtzvGZLARG7mbXPqivB4EMw4L3zGhoCIXYTiV4iRhAF2SRVIc3SW 16CP1qnP8maQOmla0Bn0ibNN6hP4u5jAFNKHdLNmlhUwWTPM1OD6PnDpYGwo18viA259 NEESmIp+02sbiJJ7gAXU1Amwwp6XdSNjTEwpTx1sWxLqr9SF90ca/KubWKXwNBge5c3Y pB1YAQ+7+NtrjjE7ZMWHnAPuiMYlS/Y0bA0tDqJL7JKiUuImC0nIJqmdq5sraieDAAF8 4/1o5mTzpEQLX6VWYl3t+wwD/sTB6anAPjWiM+uQRjWIizOL5L/H0KqJaN8SBt3ZW7SA qSyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=52LsSwYufzgSwPlvOfT4STK6YQFtfEUuAZynWnu4jCY=; b=ZpHDNDZsFIOoxn9T9qqSYVvDR/avxj6fPDcNv7bWha/ZCXycubYtozsczIoPDaIMwq AhpbP6c7RHZwYcuyBN+wA+QR4Gz3UuRsnLt6XrjiRuH3Anmzv47AO8rkDz0+c0mGOIEY s4Y00/mpNpgW98n5+lize3r5Ndx11JMjOLrFn379JNK+o874DsE91KHqkIfs2g0rjnP5 UspzQKX7QACb6zTU7kdN7/tJfi6DYJnQHl0HWn6uD3BLKzJfslSI+P1r1E/nXf1KcteC rU4fairizjqz7SMxuS2Qcym4hXUkPlam5NXMrsMb47BVwtaFkStTFw+g1nZKCbl1qUB9 Yz7Q==
X-Gm-Message-State: ANhLgQ18i3+C5kMksNDjY6iL1naMUcIY6JCKqwvJuhDMnIq4b+81jgP4 1Rh0/aXXuEy3t6lmTnoSDO/9ooCX/dn/M5TdDbfcjU3hqms=
X-Google-Smtp-Source: ADFU+vvo+up7qE+jKhly4gAjzSBctLjW+a9r0Uhhs1SDfd2dCPzECAr7D9zqUkM9fxFzwBdvK1+GfYQt+sYgJzU8aXY=
X-Received: by 2002:aa7:cf01:: with SMTP id a1mr10147318edy.282.1584738187502; Fri, 20 Mar 2020 14:03:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s2mb_OKEjt-x3uwBB2gmEzMXKrZKg4necVFJQUosb=CA@mail.gmail.com>
In-Reply-To: <CAD9ie-s2mb_OKEjt-x3uwBB2gmEzMXKrZKg4necVFJQUosb=CA@mail.gmail.com>
From: David Skaife <blue.ringed.octopus.guy@gmail.com>
Date: Fri, 20 Mar 2020 21:02:57 +0000
Message-ID: <CAKiOsZu92JZatwCT840U405aQMoXWWcVXZmMc2gxH-mzr8oiiw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: txauth@ietf.org, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000ba662205a14f9c31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/1VRhL5CTcGkl2d6klaMDgpoxK-4>
Subject: Re: [Txauth] XYZ vs XAuth: Client Authentication / Proof of Possession
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 21:03:17 -0000

Hi,

As requested by Dick in the parallel email chain, I'll see if this response
can start to kick off some discussion.

If I'm understanding this correctly, then the main difference here is the
debate around whether to have a "default" authentication method or not.
Both XYZ and XAuth appear to support having multiple different
authentication methods that the client can use (which I certainly agree is
sensible), but for XYZ this is part of the "core" protocol, whereas for
XAuth it's more of an extension.

My view is that I don't think the argument "*choosing one auth method as a
default makes too many assumptions about client’s nature and deployment
capabilities*" is necessarily a valid reason to avoid having a default.
Having a default perhaps makes assumptions about the most *common* use
cases and the most *common *clients, but it certainly doesn't prevent other
more niche clients and use cases from being able to use the protocol. I
share the concern raised in the XAuth rationale text that not having a
default mechanism places a burden on the clients to choose, which may be
off-putting or a distraction for some newcomers. I do however think the
availability of different authentication methods should be part of the core
protocol, to encourage each AS to implement as many different methods as
possible - which it would be in there interest to do so as it would enable
the AS to support more use cases.

So in summary, I'm in favour of the protocol supporting multiple different
authentication methods as part of the core protocol, but my preference
would be to have a default selected if the client doesn't want (or need) to
choose anything different. I don;t think having a default would be
restrictive, and I think when the protocol is eventually
launched/standardised in the future we'll have a clear view of what that
default should be to ensure that it's aligned to the most common use cases.


Many thanks,
David Skaife

On Mon, Mar 16, 2020 at 11:06 PM Dick Hardt <dick.hardt@gmail.com> wrote:

>
> *Client Authentication / Proof of Possession*
> XYZ
> - client proves use of bound keys via general-purpose mechanisms,
> including detached JWS, DPoP, OAuth PoP, HTTP Sig, and MTLS
> - RS access via bearer token or proof-of-possession through any allowable
> key binding mechanism
>
> XYZ Rationale: choosing one auth method as a “default" makes too many
> assumptions about client’s nature and deployment capabilities. AS should
> support as many as it can (and possibly have an MTI requirement), client
> supports whatever method makes the most sense for it. PoP mechanisms for RS
> should be independent of mechanisms at AS.
>
> XAuth
> - client proves use of bounds keys through an auth mechanism at GS
> - specifies default mechanism using JOSE for GS and RS proof-of-possession
> calls
> - RS access via bearer token just like OAuth 2.0
> - extensions can define other mechanisms such as HTTP Sig or MTLS to
> replace JOSE for either GS and/or RS calls
>
> XAuth Rationale: having a Client Authentication mechanism defined and as
> default removes burden of selecting mechanism for most deployments, and
> ensures interop.
> ᐧ
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email