Re: [Txauth] Key handle vs client id & handle
Mike Jones <Michael.Jones@microsoft.com> Tue, 14 July 2020 16:18 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id E9BA73A09A9
for <txauth@ietfa.amsl.com>; Tue, 14 Jul 2020 09:18:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yQ5TSu4KC-_7 for <txauth@ietfa.amsl.com>;
Tue, 14 Jul 2020 09:18:30 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com
(mail-eopbgr640115.outbound.protection.outlook.com [40.107.64.115])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 3919A3A09A3
for <txauth@ietf.org>; Tue, 14 Jul 2020 09:18:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=VgRir2QpXlNc40X05m/KIH9iWTo4hJ/A62AQl9Uu2BsoWfxbsO62koTeaOzrGORLsS3KE/Q1iT3LEYA7dFnxtMnq7rJh/qZU886KQBe1G2mC72JqW6YAbmSDvF4JXKlj0nuoKYGK+Bbpp7Ngg2nAtEgMxSuUNim2PvO9X+oJIV45nHZxbcWqYW4EgX04kB8oyc9sXZy0U35xMaiQ8jhNd21JIFOwO11E6mVfnhhbNu3lF0sxHp/NVTNmmvigKGIPS2l0vQguGZhEcsnNUHs/by3Nx1y7Pb8Kh6b+uyPzOB/G+wcc8FilOD+xYFqhvFmDAFJ7N6VmFtRTDjHD2q4JcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=kDSanUCfgukQ3oCRb8a4kBu6GqwAV/WZHHCNKQFxgew=;
b=nH/78jGK0ALXjLYPNXXB4RQ19ei765WLz14jV1DSFIE/g+akN1Fd5rsHf3XbeKVMa/56FGo8qdAJVzgu7pinxTbDHn56Yg54IzjPmzYyfXxnJmq+1vAI98TMz2yVrY0r+oIJCikTUx2yqcF+mghk+udoVDBUpcO7mYpPFwWU74mfXE8eEy3w2X9sQOPb1H00Ko3D/vCSV2TRsdu/f7uLnDkwK50WhpHKOVjtgctdWpuglO4MBiHizijpMjNYNULqUWVcAbXpnnypq2KvlhY940j/n6tpgsbzy0YaN6v/xYZfBdZLaJcHtv0WnFmp1BQJxPsAgQFhR/49A2+palAUFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=microsoft.com; dmarc=pass action=none
header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=kDSanUCfgukQ3oCRb8a4kBu6GqwAV/WZHHCNKQFxgew=;
b=HyOkIVYZBZmhFuXrT0XJv6diBgTP9HxakPkXDOyWay8RzdH0XI1Ci2fXAX+qCOe9uLXy5gcl2IFRpaDY1+UJqmTe+F27JhJx9k+X699UAnnsFC1ka3feD6hcmWxbd9NHXUfnw8Beme4oesiynrKtmHlRlKxeBplM3g1GTBpIqxQ=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23)
by CH2PR00MB0794.namprd00.prod.outlook.com (2603:10b6:610:6f::9) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3229.0; Tue, 14 Jul
2020 16:18:28 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com
([fe80::29f8:dc4a:8aac:e889]) by CH2PR00MB0678.namprd00.prod.outlook.com
([fe80::29f8:dc4a:8aac:e889%8]) with mapi id 15.20.3234.000; Tue, 14 Jul 2020
16:18:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>, "txauth@ietf.org" <txauth@ietf.org>,
Justin Richer <jricher@mit.edu>
Thread-Topic: Key handle vs client id & handle
Thread-Index: AdZZ+mZgxtkBmq+UR+efg3xrZERnOA==
Date: Tue, 14 Jul 2020 16:18:28 +0000
Message-ID: <CH2PR00MB067803B92F8CF0A34DE0F2EFF5610@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;
MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-14T16:13:33Z;
MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;
MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=c9535e6e-8b68-4306-a8cf-534cae1e35ea;
MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: gmail.com; dkim=none (message not signed)
header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: a8dd16e0-20f1-4c9a-d226-08d828118b17
x-ms-traffictypediagnostic: CH2PR00MB0794:
x-microsoft-antispam-prvs: <CH2PR00MB0794D4CE293401DABC6BF916F5610@CH2PR00MB0794.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0r4bbwneQxtUdTO1cC4cbtb/IZKKF9IbCgejLXL9mMA/tkrbdHAKdyQbs5YXsHYgTvidv1UeVKNKPC0uAqu9qrgmIiyGe4Qk3PNT5e4gSgGK3b3liDUNuMXD/pPi7uBwSstNTu38riWvMzfpAWhl9A6vTpAbAUC6gS8rgua/jGrJHNOLNv8KwimCRuGGDnI3L3zbwBbUF4HCK78TcrRRKkN8EMEL+lUHyYZZqsvQcgfaypLoWMwofrxoU0v2bKDQ7muDAcNdGF+78kgjyG7C9oHDN24Xiq20YhYlLsAXBPdHPzxm3lssxbU+8dUHwIuy8xGci/Yn2H3iRmFyeHSA8dRsYwp8wxwqt5WMgJOGwzynBsoruZ6xU1Ur3m2aMRX3787iDOPDYREwsaJiqZ+JhA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE;
SFTY:;
SFS:(4636009)(376002)(136003)(346002)(396003)(39860400002)(366004)(86362001)(316002)(186003)(66556008)(10290500003)(26005)(110136005)(66946007)(76116006)(66476007)(66446008)(83380400001)(64756008)(478600001)(966005)(166002)(33656002)(55016002)(8936002)(71200400001)(21615005)(2906002)(8676002)(52536014)(53546011)(5660300002)(6506007)(82950400001)(7696005)(82960400001)(9686003)(8990500004);
DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 3IrhejWTmbTfOdX2IKKRxR+bDXcoOhmX20yYdbDvThuyWle+ruJJow9dvuJOz3OcKXuRVlWCmJ7K+Esrxf0kJ56uZ+R+KsENLROlvXGFSVB8rqsAZ3OFx2+4fxuEebhY4krccI3+ZvwnEk4Ki0/21KSgyS15rBcRwc664LwhBNeiCS3h/XP8dcuifq/2bKaEn+vBXJc5tJDwq/VghjzR9FZsc2ePMUcOzM1ebF6fhJa+0b9UKbP0i1pgCtOTlaKBQDWaNsxy164a6LyjKQSKHB46QbG3aL2C+FLAi8zNgCUid73pwtTyJQqLLpOF55s0krKtH2LDzQdRIL1MIGqgQWLIZfHZiuATVL+DkHPGzt3CeEgXrF3bAjV+BRmCdiZ7dJMOGdoa6NBDVh7MyDABETJhAhJVlHMaOhhi4cjulN0vlf+5tFrQl7AhfKi4brGmUUqzHdF2xKx+DE8oZRp83T+ns21iGIAzPTkXmeiSRzs=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative;
boundary="_000_CH2PR00MB067803B92F8CF0A34DE0F2EFF5610CH2PR00MB0678namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8dd16e0-20f1-4c9a-d226-08d828118b17
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2020 16:18:28.4441 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iw39oWKLLFY3AENb3yjGrzEKLLR7ejRRpCZocErjoAfvfgiwMRr/hULlUhxU3JC4siTncf4N5C5paIGitHswDg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0794
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/AqIfJjHj1B3wyawkeSVn4Y3KdXY>
Subject: Re: [Txauth] Key handle vs client id & handle
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>,
<mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>,
<mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 16:18:32 -0000
I agree that there are significant differences between statically and dynamically registered clients and that’s appropriate to be able to syntactically differentiate between them at runtime. For one thing, the resource requirements at the authorization server can be very different. We should also be thinking about how to include what the OpenID Connect Federation spec https://openid.net/specs/openid-connect-federation-1_0.html calls “Automatic Registration”. This lets the client encode a registration request reference in the client ID, so no static or dynamic registration even occurs. See https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.9.1. -- Mike From: Dick Hardt <dick.hardt@gmail.com> Sent: Friday, July 10, 2020 1:17 PM To: txauth@ietf.org; Justin Richer <jricher@mit.edu>du>; Mike Jones <Michael.Jones@microsoft.com> Subject: Key handle vs client id & handle + Mike as he had interest in this topic My understanding is that an existing OAuth 2 client would use their current client id as their key handle, and a dynamic client (one that was not pre-registered) would be given a key handle by the AS. There are potentially some significant differences between a registered client, and a dynamic client to an AS. The AS is likely to know the identity of a registered client, and have different policies between the two types of clients. For example, a registered client may have access to a 'write" scope, while a dynamic client does not. The AS may have 100s or 1000s of registered clients, but a dynamic client may have 10Ms or 100Ms of instances, which may dictate separate storage services. Additionally, internal to the AS, which systems can write to the registered client store is going to be different than the dynamic client store. In XYZ, subsequent calls to the AS, both registered clients and dynamic clients pass a key handle, so there is no easy way to differentiate between the two. While the AS could embed semantics in the key handle identifier to indicate which identifiers are pre-registered vs dynamic, there are many cases where the AS does need to know the difference, so making the difference a feature of GNAP seems like a better path.
- [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Mike Jones
- Re: [Txauth] Key handle vs client id & handle Mike Varley
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- [Txauth] Client Registration (Was: Key handle vs … Dick Hardt
- Re: [Txauth] Client Registration (Was: Key handle… Tom Jones
- Re: [Txauth] Client Registration (Was: Key handle… Mike Varley
- Re: [Txauth] Key handle vs client id & handle Fabien Imbault
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Justin Richer
- Re: [Txauth] Key handle vs client id & handle Tom Jones
- Re: [Txauth] Key handle vs client id & handle Francis Pouatcha
- Re: [Txauth] Key handle vs client id & handle Dick Hardt
- Re: [Txauth] Key handle vs client id & handle Tom Jones
- Re: [Txauth] Key handle vs client id & handle Francis Pouatcha
- Re: [Txauth] Key handle vs client id & handle Tom Jones
- Re: [Txauth] Key handle vs client id & handle Justin Richer