Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

John Bradley <ve7jtb@ve7jtb.com> Thu, 05 November 2015 04:32 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5ECB1B36B5 for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 20:32:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxilWXBb17Gc for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 20:32:08 -0800 (PST)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31A8B1ACD7B for <oauth@ietf.org>; Wed, 4 Nov 2015 20:32:08 -0800 (PST)
Received: by pacdm15 with SMTP id dm15so50320349pac.3 for <oauth@ietf.org>; Wed, 04 Nov 2015 20:32:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb_com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=10k0na4HrMb041W2tn4IVg61PNOXGlQ0sQkEt8hCSbE=; b=O6/UsqhACUtCeikdbTh2jj3IXSiJIywLuMt8VyStvyOMQlTXaNByyx/5sHQQlabToR mpVn/S7Du4j0O4BtQit8gBgsmgMAUlfykM11SpUkdcNjW5xn26BIyIDoD48Xp0glD90f Sc6FGHNJHXcLh3J+3blv1kQAejzDL8clC3cyuCxcB9sotUx6TS5K44TApLMc01DGZqYw cnQflO3T81HjUPHEOM1Jep4SndP4ulAVP7HlUY9Jna7Q1xk64sL/UE3tKJCB4fKRnyqj neVKJxb8++xS+/W52yZargT+EiFmr+lDYyXKrqN7mAT9CeQWWJZ7JzMMrbS2w/MIvZu1 kKOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=10k0na4HrMb041W2tn4IVg61PNOXGlQ0sQkEt8hCSbE=; b=VsRxYBdvjl9hQvsdVp6CtYCa0WiSz1VLtV5oVoeUdlRYyXjFVQvEsVPMyEQTS5mc3r tA87FIHld+lQO0uowLFY7oMOy6hVLHbl7t6X8QuPsK4tsiiRBvbminURXgHO68NJXLEc Rias0GK//u23DM6RVEsRt2qkIoBDxivQAuOMNarAyZBkJP/psQA6DjAPqkMf61X2LqXW eiWK/84gpO2IrQSq4hDwCic+527slNijxzIxz6iIjSf/oUcvvvC8FdqYR9qwMYzohzCn WDTBiYIwvL5i9P1/sQlD3aBoJgkvqpEnRzFgHj/39Jlwk/nk/8o68uzhiaAQH1ffQPge wNUg==
X-Gm-Message-State: ALoCoQmh2/FIfH7Hwh9OKJWH4PhUYJ8nmwem2YL3+H+H8i1bgmxror5lgB2el6j4qQQ+BHaf0XOI
X-Received: by 10.68.111.101 with SMTP id ih5mr6983549pbb.84.1446697927723; Wed, 04 Nov 2015 20:32:07 -0800 (PST)
Received: from t20010c40000030089044b9d401462547.v6.meeting.ietf94.jp (t20010c40000030089044b9d401462547.v6.meeting.ietf94.jp. [2001:c40:0:3008:9044:b9d4:146:2547]) by smtp.gmail.com with ESMTPSA id cx5sm4971063pbc.50.2015.11.04.20.32.05 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Nov 2015 20:32:07 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <563AA216.5010109@gmx.net>
Date: Thu, 5 Nov 2015 13:32:05 +0900
Content-Transfer-Encoding: quoted-printable
Message-Id: <A926F104-1624-4F32-9246-662594E66F5E@ve7jtb.com>
References: <BY2PR03MB442F6667C49F8CF260D504DF52A0@BY2PR03MB442.namprd03.prod.outlook.com> <D2605993.2210B%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com> <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <563AA216.5010109@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/4eIbP5STxSo0KfymjJqlp6E8m10>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 04:32:10 -0000

Agreed the only real difference is the quality of the key.  If the server generates it, then it knows that the client is not using the fixed hex value of DEADBEEF for everything.

John B.
> On Nov 5, 2015, at 9:25 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> 
> I agree that the effect is the same. From a security point of view there
> is only an impact if one of the two parties is in a better position to
> generate random numbers, which is the basis for generating a high
> entropy symmetric key.
> 
> On 11/04/2015 11:51 PM, Mike Jones wrote:
>> Thanks for the detailed read, Brian.  You’re right that in the symmetric
>> case, either the issuer or the presenter can create the symmetric PoP
>> key and share it with the other party, since the effect is equivalent. 
>> I suspect that both the key distribution draft and this draft should be
>> updated with a sentence or two saying that either approach can be
>> taken.  Do others concur?
>> 
>> 
>> 
>>                                                            -- Mike
>> 
>> 
>> 
>> *From:*Brian Campbell [mailto:bcampbell@pingidentity.com]
>> *Sent:* Thursday, November 05, 2015 7:48 AM
>> *To:* Mike Jones
>> *Cc:* Kepeng Li; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs
>> spec addressing final shepherd comment
>> 
>> 
>> 
>> +1 for the diagrams making the document more understandable.
>> 
>> One little nit/question, step 1 in both Symmetric and Asymmetric keys
>> shows the Presenter sending the key to the Issuer. It's possible,
>> however, for the key to be sent the other way. Presenter sending it to
>> the Issuer is probably preferred for asymmetric, especially if the
>> client can secure the private keys in hardware. But I don't know if one
>> way or the other is clearly better for symmetric case and PoP key
>> distribution currently has it the other way
>> <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>.
>> Should the intro text somehow mention the possibility that the Issuer
>> could create the key and send it to the Presenter?
>> 
>> I know it's only the introduction but it was just something that jumped
>> out at me.  
>> 
>> 
>> 
>> 
>> 
>> On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones <Michael.Jones@microsoft.com
>> <mailto:Michael.Jones@microsoft.com>> wrote:
>> 
>> Thanks for suggesting the diagrams, Kepeng. They make the document more
>> understandable.
>> 
>> -- Mike
>> 
>> ------------------------------------------------------------------------
>> 
>> *From: *Kepeng Li <mailto:kepeng.lkp@alibaba-inc.com>
>> *Sent: *‎11/‎5/‎2015 12:57 AM
>> *To: *Mike Jones <mailto:Michael.Jones@microsoft.com>; oauth@ietf.org
>> <mailto:oauth@ietf.org>
>> *Subject: *Re: Proof-of-Possession Key Semantics for JWTs spec
>> addressing final shepherd comment
>> 
>> Thank you Mike.
>> 
>> 
>> 
>> The diagrams look good to me.
>> 
>> 
>> 
>> Kind Regards
>> 
>> Kepeng
>> 
>> 
>> 
>> *发件人**: *Mike Jones <Michael.Jones@microsoft.com
>> <mailto:Michael.Jones@microsoft.com>>
>> *日期**: *Thursday, 5 November, 2015 12:32 am
>> *至**: *"oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org
>> <mailto:oauth@ietf.org>>
>> *抄送**: *Li Kepeng <kepeng.lkp@alibaba-inc.com
>> <mailto:kepeng.lkp@alibaba-inc.com>>
>> *主题**: *Proof-of-Possession Key Semantics for JWTs spec addressing
>> final shepherd comment
>> 
>> 
>> 
>> Proof-of-Possession Key Semantics for JWTs draft -06 addresses the
>> remaining document shepherd comment – adding use case diagrams to the
>> introduction.
>> 
>> 
>> 
>> The updated specification is available at:
>> 
>> ·        http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06
>> 
>> 
>> 
>> An HTML formatted version is also available at:
>> 
>> ·       
>> https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html
>> 
>> 
>> 
>>                                                            -- Mike
>> 
>> 
>> 
>> P.S.  This note was also posted at http://self-issued.info/?p=1471 and
>> as @selfissued <https://twitter.com/selfissued>.
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth