Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 10 July 2012 16:11 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DDF511E8194 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.616
X-Spam-Level:
X-Spam-Status: No, score=-102.616 tagged_above=-999 required=5 tests=[AWL=-0.017, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLwqP80yHb8m for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:11:37 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 8400E11E8193 for <oauth@ietf.org>; Tue, 10 Jul 2012 09:11:36 -0700 (PDT)
Received: (qmail invoked by alias); 10 Jul 2012 16:12:03 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.106]) [88.115.216.191] by mail.gmx.net (mp028) with SMTP; 10 Jul 2012 18:12:03 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1/faj41jrrfLppoJBvUWcEA/yYAujZEjOnmrJXi5h kP4UcE2wzLG6Zk
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E74F97B2E2@BL2PRD0310MB362.namprd03.prod.outlook.com>
Date: Tue, 10 Jul 2012 19:11:55 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D7E3A30-873A-41DD-8ADA-A3334E023576@gmx.net>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F979CF1@BL2PRD0310MB362.namprd03.prod.outlook.com> <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net> <C433DCE1-3015-4442-9DD0-A5228415D6C0@ve7jtb.com> <B26C1EF377CB694EAB6BDDC8E624B6E74F97B2E2@BL2PRD0310MB362.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 16:11:37 -0000
If we do not bind the key to the channel than we will run into all sorts of problems. The current MAC specification illustrates that quite nicely. On top of that you can re-use the established security channel for the actual data exchange. On Jul 10, 2012, at 5:29 PM, Anthony Nadalin wrote: >> One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth, or something OAuth specific. The answer may be a combined approach. > > Depends if we want OAuth to support the concept of a request/response for a proof token and keep the actual binding for a separate specification, in most of our cases the keying material is opaque (and just a blob), where we care about the key material is in the key agreement (entropy) cases. > > -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Tuesday, July 10, 2012 3:34 AM > To: Hannes Tschofenig > Cc: Anthony Nadalin; OAuth WG > Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth > > I agree that there are use-cases for all of the proof of possession mechanisms. > > Presentment methods also need to be considered. > > TLS client auth may not always be the best option. Sometimes message signing is more appropriate. > > One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth, or something OAuth specific. The answer may be a combined approach. > > I think this is a good start to get discussion going. > > John B. > On 2012-07-09, at 3:05 PM, Hannes Tschofenig wrote: > >> Hi Tony, >> >> I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. >> >> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. >> >> Ciao >> Hannes >> >> On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: >> >>> Hannes, thanks for drafting this, couple of comments: >>> >>> 1. HOK is one of Proof of Possession methods, should we consider others? >>> 2. This seems just to handle asymmetric keys, need to also handle symmetric keys >>> >>> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig >>> Sent: Monday, July 09, 2012 11:15 AM >>> To: OAuth WG >>> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth >>> >>> Hi guys, >>> >>> today I submitted a short document that illustrates the concept of holder-of-the-key for OAuth. >>> Here is the document: >>> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk >>> >>> Your feedback is welcome >>> >>> Ciao >>> Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > > >
- [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills