Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 05 November 2015 00:26 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70A81B2A8A for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 16:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kuxvRJDOE1q1 for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 16:26:10 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D3AC1AD04E for <oauth@ietf.org>; Wed, 4 Nov 2015 16:26:10 -0800 (PST)
Received: from [192.168.10.241] ([133.93.52.154]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MBFgr-1ZmgGX2D01-00AEEH; Thu, 05 Nov 2015 01:26:05 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, Brian Campbell <bcampbell@pingidentity.com>
References: <BY2PR03MB442F6667C49F8CF260D504DF52A0@BY2PR03MB442.namprd03.prod.outlook.com> <D2605993.2210B%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com> <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <563AA216.5010109@gmx.net>
Date: Thu, 05 Nov 2015 01:25:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="l51nULH53TidKhnnDmpccSw8kDoHtiToi"
X-Provags-ID: V03:K0:RdhsftmpYOsGli94wq2FIhn8vgMzRaY+R12NW4AdzdzH0U5O1EJ Famk9lBx+RRpB0SlP0BlPyhL+oAcjhnmrGaCEk3WgW/jGToGskRc2BgfGITvJ7TtOV4z1fQ tFclrWDOHQ6o2KAuKikoWbqfCA3GtW5nm23g/2mCJkEyzGEwQvHe6q42H3tz0IPa8IO1LF8 NvrLcmE6VrmWwqU1AYAlg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:9B1cERYCJs4=:JD3nXSdKDxq7B4iBVYRSxf 4n4tPkA4hp1FI5nt/xOXym4nUQiHjvN0l39aOtWE/WLLskwXq34uHjNBk3lPV1DcfGXlxQGjX S/KER6yVTAvI0kS9bMYLrQWDES0C8QAeDGR/IE7gBE8C9SSlto3JAsN2y1qHxPWhDgijEsNLc yxMn8wfJo0uHSF8tZwsrryPk+ice+ahwDsAPdVniZ+urxikGmUQFONQvhgvSeLpSpXLvc333O nFLe7EnFtWNEJznrY/V9Nb7a/EKWDZRcGAlglU5KFPcqf7CdQWzsFtfqAzVUYbI91177tCzle KDwmuAnUSbgapxoZIoiiYYwrCbwi8cMixZcpaONggWuHvOxL+hkCOVydFliK8QLkKb2oKE6ry nJUHrKg7XbXCC9OPP9OMmw1fWsZnLprqoSKhsXbWCneIEeil1obxgSZqPC9aBBzFMj4lLyIqI JdgHZKKLW8/0OGjcn4ky0+VzjRSkBpWoQ7D9q89yqylIZL3RZXYiaXUzA0xEeQC9KZ6puUL8c WV+bS7iGFeoUYHFeFVwBM6ci5hdPmyBJQPiVywHGMQwHWrk1q4yeKSYEqwb4EL6rTP9gNAqb9 XDLOydnx+WOW/Yp7rd1WNfhVlUJ/tRRDfzkTt3CNzBTNf7egV2yMkA9pNO5L+ltZ1343wLF9Q b37UpdXVhJcgf94XExJNi8EGmIelYXUZNy+E7/KV+0oO/jG4QEhyf36WODRKsNM1dMhQlUSKJ 4Drx6Z5Mi0eB7Qwj0cchIukXxcIUFNFWvS+mAZ0LEdAFlJFrcBfXtThuOOw=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/22lPIHRCSAtiPP1H9lWGTiCtvBc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 00:26:13 -0000
I agree that the effect is the same. From a security point of view there is only an impact if one of the two parties is in a better position to generate random numbers, which is the basis for generating a high entropy symmetric key. On 11/04/2015 11:51 PM, Mike Jones wrote: > Thanks for the detailed read, Brian. You’re right that in the symmetric > case, either the issuer or the presenter can create the symmetric PoP > key and share it with the other party, since the effect is equivalent. > I suspect that both the key distribution draft and this draft should be > updated with a sentence or two saying that either approach can be > taken. Do others concur? > > > > -- Mike > > > > *From:*Brian Campbell [mailto:bcampbell@pingidentity.com] > *Sent:* Thursday, November 05, 2015 7:48 AM > *To:* Mike Jones > *Cc:* Kepeng Li; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs > spec addressing final shepherd comment > > > > +1 for the diagrams making the document more understandable. > > One little nit/question, step 1 in both Symmetric and Asymmetric keys > shows the Presenter sending the key to the Issuer. It's possible, > however, for the key to be sent the other way. Presenter sending it to > the Issuer is probably preferred for asymmetric, especially if the > client can secure the private keys in hardware. But I don't know if one > way or the other is clearly better for symmetric case and PoP key > distribution currently has it the other way > <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>. > Should the intro text somehow mention the possibility that the Issuer > could create the key and send it to the Presenter? > > I know it's only the introduction but it was just something that jumped > out at me. > > > > > > On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones <Michael.Jones@microsoft.com > <mailto:Michael.Jones@microsoft.com>> wrote: > > Thanks for suggesting the diagrams, Kepeng. They make the document more > understandable. > > -- Mike > > ------------------------------------------------------------------------ > > *From: *Kepeng Li <mailto:kepeng.lkp@alibaba-inc.com> > *Sent: *11/5/2015 12:57 AM > *To: *Mike Jones <mailto:Michael.Jones@microsoft.com>; oauth@ietf.org > <mailto:oauth@ietf.org> > *Subject: *Re: Proof-of-Possession Key Semantics for JWTs spec > addressing final shepherd comment > > Thank you Mike. > > > > The diagrams look good to me. > > > > Kind Regards > > Kepeng > > > > *发件人**: *Mike Jones <Michael.Jones@microsoft.com > <mailto:Michael.Jones@microsoft.com>> > *日期**: *Thursday, 5 November, 2015 12:32 am > *至**: *"oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org > <mailto:oauth@ietf.org>> > *抄送**: *Li Kepeng <kepeng.lkp@alibaba-inc.com > <mailto:kepeng.lkp@alibaba-inc.com>> > *主题**: *Proof-of-Possession Key Semantics for JWTs spec addressing > final shepherd comment > > > > Proof-of-Possession Key Semantics for JWTs draft -06 addresses the > remaining document shepherd comment – adding use case diagrams to the > introduction. > > > > The updated specification is available at: > > · http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06 > > > > An HTML formatted version is also available at: > > · > https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=1471 and > as @selfissued <https://twitter.com/selfissued>. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Proof-of-Possession Key Semantics for … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kepeng Li
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Brian Campbell
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Hannes Tschofenig
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Justin Richer
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Justin Richer
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Chuck Mortimore
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kathleen Moriarty
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Brian Campbell
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kathleen Moriarty