Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Neil Madden <> Fri, 22 November 2019 09:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0EA6D120288 for <>; Fri, 22 Nov 2019 01:44:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7FctrR4rmMmk for <>; Fri, 22 Nov 2019 01:44:16 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 51A60120048 for <>; Fri, 22 Nov 2019 01:44:16 -0800 (PST)
Received: by with SMTP id z3so7807244wru.3 for <>; Fri, 22 Nov 2019 01:44:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=BwQqM8E7ypPfR229QCojV7JHMY1dS1e8fDEk7bHl7mk=; b=XWo6635MDso49RANvtFVOUEwmuFsdN6GqzhxKiP/k1wGLeObqTfQCjs6G89qK4pqh7 gPAebKsWzhFCVJZHADeT/wPBnXj111b+8i9t9KUvHJBw4k+ZrRoA4+OX7GN2pelphZ58 QcpeeVgcbPzulL7EkWV5KMoenim/3VULe+fr4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=BwQqM8E7ypPfR229QCojV7JHMY1dS1e8fDEk7bHl7mk=; b=lNxsv9TH/jMUKV+8Uk+km8mKEjQj+LEcnPyUW0Y7Sy2mj/+P7RySddHYGvzQLVAoAZ HjihTIt/P4XFVpxiASKoPpDe1CfyVKlPQOebbyqOzvp2XyRbhBjPssSNKn8V0dg3hhPu ueuvXzpcl0e0YuEBFz5r+jBFoUpI+58E7VOaveGvzfOZr0YtM13nBZQlA0Odyqc0S1iU mmbxpLW702cdj0z0Fk7ZJ64niNq0KZNkDIfVpqg9g1b+ry1sOqiPoWyMLSL/CRObokX1 7MRiz9tQlQyLzrMKmon0MUXt6E/xEyYNBj9usXpwg6VHvJ/QuYVLwtFEfisCTPKN+9ON basg==
X-Gm-Message-State: APjAAAX6Cgbkvw2WtjmoKlK3RauU7k2FKWEl/kewSjeqdALratIR43s5 YqLEHyk9cdyZQeX2+RWk2UwqKg==
X-Google-Smtp-Source: APXvYqx1VVNtRYpnp5lt8IsbKJwiUUhwiEsLt7pAvb3NIEuMRAvY+Ds+01hwwim4gzaG5GOlnkfgSA==
X-Received: by 2002:a5d:6b45:: with SMTP id x5mr416814wrw.16.1574415854433; Fri, 22 Nov 2019 01:44:14 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id c76sm2892803wme.18.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 01:44:13 -0800 (PST)
From: Neil Madden <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_06FFFFD5-D7DB-4807-A54C-07785AB758CE"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Fri, 22 Nov 2019 09:44:11 +0000
In-Reply-To: <>
Cc: "Richard Backman, Annabelle" <>, oauth <>
To: Dick Hardt <>
References: <> <> <>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Nov 2019 09:44:19 -0000

On 22 Nov 2019, at 07:13, Dick Hardt <> wrote:
> On Fri, Nov 22, 2019 at 3:08 PM Neil Madden < <>> wrote:
> On 22 Nov 2019, at 01:42, Richard Backman, Annabelle < <>> wrote:
>> There are key distribution challenges with that if you are doing validation at the RS, but validation at the RS using either approach means you’ve lost protection against replay by the RS. This brings us back to a core question: what threats are in scope for DPoP, and in what contexts?
> Agreed, but validation at the RS is premature optimisation in many cases. And if you do need protection against that the client can even append a confirmation key as a caveat and retrospectively upgrade a bearer token to a pop token. They can even do transfer of ownership by creating copies of the original token bound to other certificates/public keys. 
> While validation at the RS may be an optimization in many cases, it is still a requirement for deployments.

It's a pattern currently used in some deployments. But as Brian (I believe) mentioned at the last OSW in Trento, you often really want to setup a shared key between the AS and the RS and use authenticated encryption instead for performance and PII protection reasons. And if you do that then (a) replay by the RS is not possible because each RS has a different key and (b) you can use the shared key for macaroons too.

(This is why I proposed adding public key authenticated encryption to JOSE [1] after OSW, and why the initial version of the draft included a simple two-way handshake to derive a symmetric session key that could be used for subsequent messages. That handshake had perfect forward secrecy and key compromise impersonation protection as well, which is overkill for DPoP hence my later simplified challenge-response version).

> I echo Annabelle's last question: what threats are in scope (and out of scope) for DPoP?

I agree this is the crucial question as per my original post a week ago asking what the intended threat model is [2].

[1]: <> 
[2]: <>

-- Neil