Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

Samuel Erdtman <samuel@erdtman.se> Sun, 07 February 2016 17:24 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DD391A00EA for <oauth@ietfa.amsl.com>; Sun, 7 Feb 2016 09:24:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aj78UA-MQ_-m for <oauth@ietfa.amsl.com>; Sun, 7 Feb 2016 09:24:23 -0800 (PST)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEB6E1A00E8 for <oauth@ietf.org>; Sun, 7 Feb 2016 09:24:22 -0800 (PST)
Received: by mail-qg0-x22a.google.com with SMTP id b35so103084515qge.0 for <oauth@ietf.org>; Sun, 07 Feb 2016 09:24:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=46lEKMtGBlq4AmJGaIcKZaHQ1ai5NAM/TwicPWBNRX8=; b=JQbtfdHisxuJ2q78/BTU2YcLjijt9KHQYvsPBadgDQPylhJ4NmRuCG1e1scdw7g0Zh U9c3xmeYlTJn81g9fpBzBnzX5omtuaxeEiPBi705+gkb2w+izj649aC0qFeH+4Dnj911 Nv61q6cOHFoCo0Dxj99whlegZnFH556UOEpTaMuzlKlJ/MOVPKy+t73s8ZRAKNt9CCnq GNkoxx8NhEMSTSJwA2aRmX/u5lsflal8Q1AF5bnKMKq0g3jxJ2ppAUE6mS0L5Ofejgb4 zz34qqAK6aey1l/ZnhAOZ9EjKcuZnr7WFEC+2mbuLkFv15BGhZQAumxbbTfBxGGQlRXn VEbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=46lEKMtGBlq4AmJGaIcKZaHQ1ai5NAM/TwicPWBNRX8=; b=fA93cWWPtBmkHblrj0TMpbqggWiad/n2nm2wI97VEMRBOIxoGWEfPvNgNj+M7ElKi4 UP4pG1HLf4dTwaV5ps7KMwyhNTVZprLd1tFhr0989ou94SxHvT9shbj7XYCGchXN1PZ9 kmCFw46ZFB4z1ZqZd4gKtvbsqIS0lLI8x3dGIvXOgB8fflB2dYCEj7H34mXmfVn3jQ/+ /089s2ncAKMZnEyL7wJx8og9CLJ/4rHSp7fzweDYkTqFrtFjAM/bhC6Cgk1uv9gzNYvg SrBCxDeeBhkE7beqlTqpAkSH9b/sQwpsLp+YSxjT7KAtrZEa6Pn1CA+br1CMwwSwsRqF MVxA==
X-Gm-Message-State: AG10YOQ/SCk+JT7FWyK4gflvjR1AWO7K+G6Ht6JdM/7loemiYCp2amREdQNr+ZBN21VBbNTbKw1K8k9YgLNWAA==
MIME-Version: 1.0
X-Received: by 10.140.250.138 with SMTP id v132mr31366479qhc.0.1454865861512; Sun, 07 Feb 2016 09:24:21 -0800 (PST)
Received: by 10.55.179.1 with HTTP; Sun, 7 Feb 2016 09:24:21 -0800 (PST)
In-Reply-To: <56B31FEB.4010204@sics.se>
References: <56B31FEB.4010204@sics.se>
Date: Sun, 7 Feb 2016 18:24:21 +0100
Message-ID: <CAF2hCbaiJLWihcgNV7B=1Kzq8WZGRd8wSF0UeD=uF8vhck-g3g@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
To: Ludwig Seitz <ludwig@sics.se>
Content-Type: multipart/alternative; boundary=001a113a99d0df6e43052b315ada
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/2BJYvUHrzHEiphIG9kUaqi_R67o>
X-Mailman-Approved-At: Mon, 08 Feb 2016 12:29:58 -0800
Cc: oauth@ietf.org, ace@ietf.org
Subject: Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 17:24:25 -0000

Hi,

I think it is a reasonable simplification to mandate that PoP key and
(D)TLS Mode matches i.e. if the PoP keys is symmetric the (D)TLS mode would
be PSK, if the PoP key is asymmetric (D)TLS mode would be Raw Public key.

But I think there is some compelling properties of having a symmetric PoP
key and a Raw Public Key (D)TLS. In this case the Public key of the RS can
be distributed to the client in the client information (the attributes
accompanying the token) from AS and the PoP key as defined by PoP key
distribution draft. With this setup the client can authenticate the server
at connection time and then it can send its PoP token to authorization
information endpoint/resource at the RS (defined in
draft-ietf-ace-oauth-authz as an alternative to the HTTP Authorization
header) to authorize the client.

Regards
//Samuel





On Thu, Feb 4, 2016 at 10:54 AM, Ludwig Seitz <ludwig@sics.se> wrote:

> Hello list(s),
>
> in the process of updating our draft [1] (mainly in reaction to the
> reviewer's comments) I've come up with a question I'd like to put to the
> list (crossposting to OAuth as well, they might have considered that
> already):
>
> Assuming we are using (D)TLS to secure the connection between C and RS,
> assuming further that we are using proof-of-possession tokens [2], i.e.
> tokens linked to a key, of which the client needs to prove possession in
> order for the RS to accept the token.
>
> Do we need to support cases, where the type of key used with DTLS does not
> match the type of key in the PoP-token?
>
> Example:
>
> The client uses its raw public key as proof of possession, but the DTLS
> connection C - RS is secured with a pre-shared symmetric key.
>
> Is that a realistic use case?
>
> It would simplify the DTLS cases a lot, if I could just require the token
> and the DTLS session to use the same type of key. For starters we could use
> DTLS handshake to perform the proof-of-possession.
>
> Would there be any security issues with using the PoP key in the DTLS
> handshake?
>
> I'm thinking of using pre-shared symmetric PoP keys as PSK as in RFC4279
> and raw public PoP keys as client-authentication key as in
> RFC7250.
>
>
> Regards,
>
> Ludwig
>
> [1] https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/
> [2] https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02
>
>
> --
> Ludwig Seitz, PhD
> SICS Swedish ICT AB
> Ideon Science Park
> Building Beta 2
> Scheelevägen 17
> SE-223 70 Lund
>
> Phone +46(0)70 349 9251
> http://www.sics.se
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
>