Re: [jose] Security Evaluation Request
"Manger, James" <James.H.Manger@team.telstra.com> Tue, 10 July 2018 00:28 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D567C130EB3 for <jose@ietfa.amsl.com>; Mon, 9 Jul 2018 17:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=teamtelstra.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Be385KKDcBMk for <jose@ietfa.amsl.com>; Mon, 9 Jul 2018 17:28:24 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au [203.35.82.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F97130EB2 for <jose@ietf.org>; Mon, 9 Jul 2018 17:28:23 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.51,332,1526306400"; d="scan'208";a="119574679"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipocni.tcif.telstra.com.au with ESMTP; 10 Jul 2018 10:28:22 +1000
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcbni.tcif.telstra.com.au with ESMTP; 10 Jul 2018 10:28:21 +1000
Received: from wsapp6784.srv.dir.telstra.com (10.75.3.133) by wsmsg3702.srv.dir.telstra.com (172.49.40.170) with Microsoft SMTP Server (TLS) id 8.3.485.1; Tue, 10 Jul 2018 10:28:20 +1000
Received: from wsapp5584.srv.dir.telstra.com (10.75.131.20) by wsapp6784.srv.dir.telstra.com (10.75.3.133) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 10 Jul 2018 10:28:17 +1000
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (10.172.229.125) by wsapp5584.srv.dir.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend Transport; Tue, 10 Jul 2018 10:28:17 +1000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=teamtelstra.onmicrosoft.com; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UMWg5pDLmnSFR+4bgYMNpAXHag7ikBdPbK7P6BTzgW4=; b=CyYFQbhAuM9sD0jvCqVXch72M8YoFZfqB5b2/VUDKi8cmCNBeWYPtPjFwlxmrdDqDZ/Zq5USG7JoSMBafEbJlSMeE3FoAeChKlyBjtHH5axF1a0COrsmpvkY61tMTupbDqaC3eI+s8ZHHW3buWMcwhjmr4ZN04rh9KEbEZmtG+8=
Received: from MEAPR01MB3542.ausprd01.prod.outlook.com (52.134.216.9) by MEAPR01MB3671.ausprd01.prod.outlook.com (52.134.216.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.19; Tue, 10 Jul 2018 00:28:16 +0000
Received: from MEAPR01MB3542.ausprd01.prod.outlook.com ([fe80::d8b5:c02d:188a:1217]) by MEAPR01MB3542.ausprd01.prod.outlook.com ([fe80::d8b5:c02d:188a:1217%5]) with mapi id 15.20.0930.022; Tue, 10 Jul 2018 00:28:16 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] Security Evaluation Request
Thread-Index: AQHUF37ZJAjVSqsbcUq6eKYaDGof5qSHkrSw
Date: Tue, 10 Jul 2018 00:28:16 +0000
Message-ID: <MEAPR01MB354279C123290AA06D1BE78AE55B0@MEAPR01MB3542.ausprd01.prod.outlook.com>
References: <39b09bfa-1ff5-c47d-7dd8-8944eeee9189@gmail.com>
In-Reply-To: <39b09bfa-1ff5-c47d-7dd8-8944eeee9189@gmail.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 10.0.500.19
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.35.185.253]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MEAPR01MB3671; 7:1HXSuwx87D64cDubGSF8wumJ45uF5yihBQJd0xUj3wmHXDFBBAG4OS1/GaCgBSWGvADWJiRoK4ZGuzCosDopUqaRIvTUw6EUtfzmt0P7QTVnC5ufWo6ba/VtOnm79Xip7Si2bSlsPiN9BnyQqu9b5rnElm9TQPv7J5qUho/EyJACfDCl0lq6hjYkeXi20lVJ/sy/LlZSGFQnAlPgDnTVPkjZ5RH669mJtlEBMbuowAUCDWxYTebua4nbelbMjlQ8
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: e75a5bba-d91f-4d24-0fd8-08d5e5fc07cf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:MEAPR01MB3671;
x-ms-traffictypediagnostic: MEAPR01MB3671:
x-microsoft-antispam-prvs: <MEAPR01MB36717FE3A89ACE0C12991DD2E55B0@MEAPR01MB3671.ausprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(3002001)(149027)(150027)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:MEAPR01MB3671; BCL:0; PCL:0; RULEID:; SRVR:MEAPR01MB3671;
x-forefront-prvs: 0729050452
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(376002)(346002)(366004)(396003)(39860400002)(189003)(199004)(13464003)(486006)(33656002)(476003)(14454004)(66066001)(316002)(7736002)(2900100001)(86362001)(14444005)(256004)(305945005)(6116002)(76176011)(7696005)(99286004)(25786009)(2501003)(5250100002)(229853002)(110136005)(6506007)(53546011)(3846002)(446003)(9686003)(186003)(39060400002)(55016002)(6436002)(105586002)(106356001)(11346002)(97736004)(81166006)(81156014)(478600001)(966005)(74316002)(8676002)(72206003)(6246003)(5660300001)(8936002)(6306002)(102836004)(53936002)(15650500001)(68736007)(26005)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:MEAPR01MB3671; H:MEAPR01MB3542.ausprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: HPLOyt1WpXflRaD0C8ncB/I4iX3eprF8evhjObId9kk/yZLTVUelFOdnIybmVw9BOGVcKIEexMgGuLgF0GlKRSJojIiTLBhbkmx0I6weg3fSatxcA0Iw+MibRbUyBzkt0cXSp9xwRS71gAVIypHnLOR3K40zD8C1Xkt1C2cFk7zs1kTVdkojmto6+hlrX9TwLXDVn0Loakv5bvPqivFu254v1cKc4b/H+z8gqMXYNlZzYJFtEIFvD/Cb/0pxUa9+gmvUN5nDlkwsirbCW4k5tlj5bjdv2ZAtvy1Fo7MhvcmDsaoBh6eFtZgZCgYjH8mzDP3vSi7+2TndsFYrP7wp1NK3REb7FWRdq/xbn4FJyts=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e75a5bba-d91f-4d24-0fd8-08d5e5fc07cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2018 00:28:16.7072 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB3671
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/N1tfXMMjInAPYLxYBJsEOXqXuZI>
Subject: Re: [jose] Security Evaluation Request
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 00:28:29 -0000
Hi Anders, Isn't FIDO2 (aka W3C Web Authentication + CTAP) with an NFC authenticator a more thorough version of your site-PC-NFC-mobile scheme? Both have communications from a site to the PC/browser then over NFC to a mobile that has a crypto key. FIDO assumes the browser checks the web site authentication; your scheme has a "Web NFC driver" to do this task. The communication channels in the reverse direction are different: FIDO re-uses the same NFC channel; your scheme uses the mobile's own network. But as the security comes from the mobile's private key, there seems to be little benefit from having a separate channel - only a downside if it isn't available. [1] DRAFT W3C Web Authentication; https://w3c.github.io/webauthn/ [2] DRAFT FIDO 2.0 Client to Authenticator Protocol (CTAP): NFC; https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#nfc -- James Manger -----Original Message----- From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Anders Rundgren Sent: Monday, 9 July 2018 10:17 PM To: jose@ietf.org Subject: [jose] Security Evaluation Request If there is anybody out there interested in Web security schemes relying on OOB channels, I would very much appreciate a review or just comments: https://github.com/cyberphone/qr-replacement#a-better-qr If you wonder who actually use such schemes, they currently involve a billion users or so although most of them are about payments rather than user authentication. This posting is also meant to serve as a defensive publication. thanx, Anders _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- Re: [jose] Security Evaluation Request Manger, James
- Re: [jose] Security Evaluation Request Anders Rundgren
- [jose] Security Evaluation Request Anders Rundgren