Re: [OAUTH-WG] Holder-of-the-Key for OAuth
John Bradley <ve7jtb@ve7jtb.com> Tue, 10 July 2012 16:58 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FB4121F8688 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.203
X-Spam-Level:
X-Spam-Status: No, score=-2.203 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUPVBTk1Gp8U for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:58:34 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 69A3921F867D for <oauth@ietf.org>; Tue, 10 Jul 2012 09:58:34 -0700 (PDT)
Received: by yhq56 with SMTP id 56so214197yhq.31 for <oauth@ietf.org>; Tue, 10 Jul 2012 09:59:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=wXmijUqE7hZn/GOVJ+DU8duKwZykzKgv9v3cOnVX3Es=; b=mMEk9ZTrG//NA3OuMyR04dJQ/fmjLaAT8WoSGJw9SDT2b4XMzZVNHMNmX3duWTctfs nqsEXjzStYYjeRKq2xcsk4b3WJsd6v1a5mk/zUKSi0LchEq5Cf4t1HM+wLd/KeG6Jy/x +qyaI8NU24ThAmAyRLZgWt/l0QCBK0qphVlg+a7HuyPSNZQsvPz/fwGP9cZYlQ1wjPY3 k9+PGdwwPuJDoVIBMWT5P79QOGPtwXACnwHecJWoY72dONcuIlSMFP9NuHv3RlvmALIP lV3nRNGZwwi3Id/IJNgcK2vr3FYaNAsBS/DyPNr+4P7T7hxfr7yuKwXbnvnrEBN0kgz6 J4OQ==
Received: by 10.68.218.103 with SMTP id pf7mr71450806pbc.67.1341939541883; Tue, 10 Jul 2012 09:59:01 -0700 (PDT)
Received: from [10.2.2.172] (75-147-25-205-NewEngland.hfc.comcastbusiness.net. [75.147.25.205]) by mx.google.com with ESMTPS id ip5sm30214055pbc.3.2012.07.10.09.58.58 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 Jul 2012 09:59:00 -0700 (PDT)
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <255B9BB34FB7D647A506DC292726F6E114F7977420@WSMSG3153V.srv.dir.telstra.com> <1341939214.6093.YahooMailNeo@web31811.mail.mud.yahoo.com>
In-Reply-To: <1341939214.6093.YahooMailNeo@web31811.mail.mud.yahoo.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/signed; micalg="sha1"; boundary="Apple-Mail-798898F1-5992-44C4-B0AC-461C72F55495"; protocol="application/pkcs7-signature"
Message-Id: <62CBC4E5-EA67-4312-8263-6143CD7DC5C6@ve7jtb.com>
X-Mailer: iPhone Mail (9B206)
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Tue, 10 Jul 2012 12:58:57 -0400
To: William Mills <wmills_92105@yahoo.com>
X-Gm-Message-State: ALoCoQkQThwfuQyHR64M09Gp7wn1w3Q7X3Ky7zWxC5ucODYGSYKxObyz7vGRk3CoClJBgDg0CF0J
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 16:58:35 -0000
We should be supporting both the client providing the key pair and a server generated pair. In higher security the private key may be stored in hardware. There are more possible attacks if the key is sent to the client. John B. Sent from my iPhone On 2012-07-10, at 12:53 PM, William Mills <wmills_92105@yahoo.com> wrote: > The server would need to issue a key pair and not just the private key. Are you saying the private key is for the certificate, and that certificate is part of the access_token? > > > From: "Manger, James H" <James.H.Manger@team.telstra.com> > To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; OAuth WG <oauth@ietf.org> > Sent: Monday, July 9, 2012 8:54 PM > Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth > > Hannes, > > > today I submitted a short document that illustrates the concept of > > holder-of-the-key for OAuth. > > Here is the document: > > https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk > > > A different approach would be for the service to issue a private asymmetric key to the client app, along with a certificate, in the access token response. This is a slightly better match to the OAuth2 model of the authorization service issuing temporary credentials for accessing resources on a user’s behalf. > > When the token_type is "tls_client_cert" (probably a better label than "hotk"), the client can access protected resources using TLS with client authentication; using the key from the "private_key" field. The "access_token" field holds a base64url-encoded certificate to include in the TLS handshake. > > An example access token response could be: > > HTTP/1.1 200 OK > Content-Type: application/json;charset=UTF-8 > Cache-Control: no-store > Pragma: no-cache > > { > "token_type":"tls_client_cert", > "access_token":"MIIGcDCCBdmgAwIBAgIKE…", > "private_key":{ > "alg":"RSA", "mod":"Ovx7…", "p":"7dE…", "q":"fJ3…", … > }, > "expires_in":3600, > "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" > } > > > The suggestion above passes the "access_token" to the protected resource in the TLS protocol in the form of a certificate. > draft-tschofenig-oauth-hotk says the client "presents the access token to the resource server", but it wasn't clear to me how it was done. Were you expecting the client to use the BEARER HTTP auth scheme inside the client-authenticated TLS connection? > > -- > James Manger > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills