Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 05 November 2015 00:26 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70A81B2A8A for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 16:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuxvRJDOE1q1 for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 16:26:10 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D3AC1AD04E for <oauth@ietf.org>; Wed, 4 Nov 2015 16:26:10 -0800 (PST)
Received: from [192.168.10.241] ([133.93.52.154]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MBFgr-1ZmgGX2D01-00AEEH; Thu, 05 Nov 2015 01:26:05 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>
References: <BY2PR03MB442F6667C49F8CF260D504DF52A0@BY2PR03MB442.namprd03.prod.outlook.com> <D2605993.2210B%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com> <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <563AA216.5010109@gmx.net>
Date: Thu, 05 Nov 2015 01:25:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="l51nULH53TidKhnnDmpccSw8kDoHtiToi"
X-Provags-ID: V03:K0:RdhsftmpYOsGli94wq2FIhn8vgMzRaY+R12NW4AdzdzH0U5O1EJ Famk9lBx+RRpB0SlP0BlPyhL+oAcjhnmrGaCEk3WgW/jGToGskRc2BgfGITvJ7TtOV4z1fQ tFclrWDOHQ6o2KAuKikoWbqfCA3GtW5nm23g/2mCJkEyzGEwQvHe6q42H3tz0IPa8IO1LF8 NvrLcmE6VrmWwqU1AYAlg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:9B1cERYCJs4=:JD3nXSdKDxq7B4iBVYRSxf 4n4tPkA4hp1FI5nt/xOXym4nUQiHjvN0l39aOtWE/WLLskwXq34uHjNBk3lPV1DcfGXlxQGjX S/KER6yVTAvI0kS9bMYLrQWDES0C8QAeDGR/IE7gBE8C9SSlto3JAsN2y1qHxPWhDgijEsNLc yxMn8wfJo0uHSF8tZwsrryPk+ice+ahwDsAPdVniZ+urxikGmUQFONQvhgvSeLpSpXLvc333O nFLe7EnFtWNEJznrY/V9Nb7a/EKWDZRcGAlglU5KFPcqf7CdQWzsFtfqAzVUYbI91177tCzle KDwmuAnUSbgapxoZIoiiYYwrCbwi8cMixZcpaONggWuHvOxL+hkCOVydFliK8QLkKb2oKE6ry nJUHrKg7XbXCC9OPP9OMmw1fWsZnLprqoSKhsXbWCneIEeil1obxgSZqPC9aBBzFMj4lLyIqI JdgHZKKLW8/0OGjcn4ky0+VzjRSkBpWoQ7D9q89yqylIZL3RZXYiaXUzA0xEeQC9KZ6puUL8c WV+bS7iGFeoUYHFeFVwBM6ci5hdPmyBJQPiVywHGMQwHWrk1q4yeKSYEqwb4EL6rTP9gNAqb9 XDLOydnx+WOW/Yp7rd1WNfhVlUJ/tRRDfzkTt3CNzBTNf7egV2yMkA9pNO5L+ltZ1343wLF9Q b37UpdXVhJcgf94XExJNi8EGmIelYXUZNy+E7/KV+0oO/jG4QEhyf36WODRKsNM1dMhQlUSKJ 4Drx6Z5Mi0eB7Qwj0cchIukXxcIUFNFWvS+mAZ0LEdAFlJFrcBfXtThuOOw=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/22lPIHRCSAtiPP1H9lWGTiCtvBc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 00:26:13 -0000

I agree that the effect is the same. From a security point of view there
is only an impact if one of the two parties is in a better position to
generate random numbers, which is the basis for generating a high
entropy symmetric key.

On 11/04/2015 11:51 PM, Mike Jones wrote:
> Thanks for the detailed read, Brian.  You’re right that in the symmetric
> case, either the issuer or the presenter can create the symmetric PoP
> key and share it with the other party, since the effect is equivalent. 
> I suspect that both the key distribution draft and this draft should be
> updated with a sentence or two saying that either approach can be
> taken.  Do others concur?
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> *From:*Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Thursday, November 05, 2015 7:48 AM
> *To:* Mike Jones
> *Cc:* Kepeng Li; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs
> spec addressing final shepherd comment
> 
>  
> 
> +1 for the diagrams making the document more understandable.
> 
> One little nit/question, step 1 in both Symmetric and Asymmetric keys
> shows the Presenter sending the key to the Issuer. It's possible,
> however, for the key to be sent the other way. Presenter sending it to
> the Issuer is probably preferred for asymmetric, especially if the
> client can secure the private keys in hardware. But I don't know if one
> way or the other is clearly better for symmetric case and PoP key
> distribution currently has it the other way
> <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>.
> Should the intro text somehow mention the possibility that the Issuer
> could create the key and send it to the Presenter?
> 
> I know it's only the introduction but it was just something that jumped
> out at me.  
> 
>  
> 
>  
> 
> On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones <Michael.Jones@microsoft.com
> <mailto:Michael.Jones@microsoft.com>> wrote:
> 
> Thanks for suggesting the diagrams, Kepeng. They make the document more
> understandable.
> 
> -- Mike
> 
> ------------------------------------------------------------------------
> 
> *From: *Kepeng Li <mailto:kepeng.lkp@alibaba-inc.com>
> *Sent: *‎11/‎5/‎2015 12:57 AM
> *To: *Mike Jones <mailto:Michael.Jones@microsoft.com>; oauth@ietf.org
> <mailto:oauth@ietf.org>
> *Subject: *Re: Proof-of-Possession Key Semantics for JWTs spec
> addressing final shepherd comment
> 
> Thank you Mike.
> 
>  
> 
> The diagrams look good to me.
> 
>  
> 
> Kind Regards
> 
> Kepeng
> 
>  
> 
> *发件人**: *Mike Jones <Michael.Jones@microsoft.com
> <mailto:Michael.Jones@microsoft.com>>
> *日期**: *Thursday, 5 November, 2015 12:32 am
> *至**: *"oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org
> <mailto:oauth@ietf.org>>
> *抄送**: *Li Kepeng <kepeng.lkp@alibaba-inc.com
> <mailto:kepeng.lkp@alibaba-inc.com>>
> *主题**: *Proof-of-Possession Key Semantics for JWTs spec addressing
> final shepherd comment
> 
>  
> 
> Proof-of-Possession Key Semantics for JWTs draft -06 addresses the
> remaining document shepherd comment – adding use case diagrams to the
> introduction.
> 
>  
> 
> The updated specification is available at:
> 
> ·        http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06
> 
>  
> 
> An HTML formatted version is also available at:
> 
> ·       
> https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> P.S.  This note was also posted at http://self-issued.info/?p=1471 and
> as @selfissued <https://twitter.com/selfissued>.
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
> 
>  
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>