Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
John Bradley <ve7jtb@ve7jtb.com> Thu, 03 April 2014 18:10 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A561A0264 for <oauth@ietfa.amsl.com>; Thu, 3 Apr 2014 11:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKL3OKQS-LQf for <oauth@ietfa.amsl.com>; Thu, 3 Apr 2014 11:10:33 -0700 (PDT)
Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) by ietfa.amsl.com (Postfix) with ESMTP id E278A1A010F for <oauth@ietf.org>; Thu, 3 Apr 2014 11:10:32 -0700 (PDT)
Received: by mail-qa0-f53.google.com with SMTP id w8so1987967qac.26 for <oauth@ietf.org>; Thu, 03 Apr 2014 11:10:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=d0/WfNwngp8MoUdjdSTKQejbSNLwgjtLxX5mw36ZLh0=; b=fa8H2SrghXw/+3GFINmUxcYAl3JAV/sf9+OzrXrCjrJpOEZVNfRADRS4IMIG7A+tgX RVSyP1x+wI7+Bt5zUzHded2El52fKp9zbvaG1v9P5ZcLNd03f/SIsUA/MRfo22r6tJBr 3NIyEzZT06xM0eGNotbM2TtFFgg38EC7914Io8iy/2DYsJ7PbTMS9QHoYVAMfE/QhT2F ZKsXBAhcYqx50E07lk7IW8LfeKoXa7rE2LpWSuasnHpoFx1TFRpgfSFRWEFAd6dPlNBl tUmeTBvzk1btpMxCRd7xYzZKODE9V9bI1KgL0aAbtOEhP4JTGI9xD+/PLvG9jIqyuD17 Uinw==
X-Gm-Message-State: ALoCoQkYhMt3HjfVNU48udmW4z76WiG6LRVh5vmBsy1Epd5X8k1J+c0tpaJGWtBY/p5jwU8A6nka
X-Received: by 10.229.81.71 with SMTP id w7mr9261155qck.8.1396548627913; Thu, 03 Apr 2014 11:10:27 -0700 (PDT)
Received: from [107.16.249.57] ([107.16.249.57]) by mx.google.com with ESMTPSA id s111sm7689613qge.19.2014.04.03.11.10.26 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 03 Apr 2014 11:10:26 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_84A27B51-5583-4F8F-AE63-9032AB6F54A7"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com>
Date: Thu, 03 Apr 2014 14:10:10 -0400
Message-Id: <A3F617B5-BD1F-4A8F-8A46-2DD5D0FBF4F8@ve7jtb.com>
References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> <533D8E5F.8000600@redhat.com> <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/1l0eHYbmwQaxCZXWongUvziDx1s
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 18:10:38 -0000
Some people and specs associate holder of key with asymmetric keys. Proof of possession is thought to be a broader category including symmetric and key agreement eg http://tools.ietf.org/html/rfc2875. NIST defines the term PoP Protocol http://fismapedia.org/index.php?title=Term:Proof_of_Possession_Protocol In SAML the saml:SubjectConfirmation method is called urn:oasis:names:tc:SAML:2.0:cm:holder-of-key In WS* the term proof of possession is more common. So I think for this document as an overview "Proof of Possession (PoP) Architecture" is fine. John B. On Apr 3, 2014, at 12:41 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > What was wrong with HOK? > > Aside: Why was “the” so important in HOTK? > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Apr 3, 2014, at 9:37 AM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote: > >> Prateek, >> why not just use "proof"? >> >> draft-hunt-oauth-proof-architecture-00.txt >> >> Is that allowed by IETF? >> >> >> Regards, >> Anil >> >> On 04/03/2014 11:30 AM, Prateek Mishra wrote: >>> "key confirmed" or "key confirmation" is another term that is widely used for these use-cases >>>> I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with POP. HOTK has the advantage of not being a homonym for aything else. What about "Possession Proof"? >>>> >>>> -bill >>>> >>>> >>>> -------------------------------- >>>> William J. Mills >>>> "Paranoid" MUX Yahoo! >>>> >>>> On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote: >>>> >>>> A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt >>>> has been successfully submitted by Hannes Tschofenig and posted to the >>>> IETF repository. >>>> >>>> Name: draft-hunt-oauth-pop-architecture >>>> Revision: 00 >>>> Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture >>>> Document date: 2014-04-03 >>>> Group: Individual Submission >>>> Pages: 21 >>>> URL: http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt >>>> Status: https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/ >>>> Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 >>>> >>>> >>>> Abstract: >>>> The OAuth 2.0 bearer token specification, as defined in RFC 6750, >>>> allows any party in possession of a bearer token (a "bearer") to get >>>> access to the associated resources (without demonstrating possession >>>> of a cryptographic key). To prevent misuse, bearer tokens must to be >>>> protected from disclosure in transit and at rest. >>>> >>>> Some scenarios demand additional security protection whereby a client >>>> needs to demonstrate possession of cryptographic keying material when >>>> accessing a protected resource. This document motivates the >>>> development of the OAuth 2.0 proof-of-possession security mechanism. >>>> >>>> >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> The IETF Secretariat >>>> >>>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] New Version Notification for draft… Prateek Mishra
- Re: [OAUTH-WG] New Version Notification for draft… Anil Saldhana
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Bill Mills
- Re: [OAUTH-WG] New Version Notification for draft… Thomas Hardjono
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin