Re: [OAUTH-WG] [Ace] New OAuth client credentials RPK and PSK

Jim Schaad <> Sun, 14 May 2017 20:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 22F18128B8E; Sun, 14 May 2017 13:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u_dWTlEVBJ8d; Sun, 14 May 2017 13:33:14 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E0E04127977; Sun, 14 May 2017 13:29:09 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01D2CCB4.8D30C950"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256;; s=winery; c=simple/simple; t=1494793748; h=from:subject:to:date:message-id; bh=STC2dMLkpzH3n6mwKiHt/r7IpIZQlkciAOrTpUvFH2k=; b=SQGP8R8LY0hy8dNSYGFvfmX2oKn4XovTqTU7alsdFdi+Qh6GiZAzBWNjOIHC+uBvaV7/0rwlxHj 7qCVIU3azwCvxL4LR4BImMBO85Q6mOGtIt4xcxff1eO2znDNlKRtLY+RhxKg+DR31Giycof9z8jGs n8S18+hT7jG5HFFRkExBtuc+QSEZh5AP0HFb7r0RrR55RH/KVwuQ78cOK9jC6W2TDFPZzEVg9/FLS NpOUPsGQpQLwFztfScaH+bXFM8E3g2M46jf7m7nEHClp+BU9LQsfwrY1t+5bNz+aYe+QctXB2wD53 2Nm5qQiPQ51TD4exWBd0c83A/QGyO2udf6IA==
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 14 May 2017 13:29:07 -0700
Received: from Hebrews ( by ( with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 14 May 2017 13:29:00 -0700
From: Jim Schaad <>
To: 'Samuel Erdtman' <>, <>, 'ace' <>
References: <>
In-Reply-To: <>
Date: Sun, 14 May 2017 13:18:14 -0700
Message-ID: <000501d2ccef$398d0940$aca71bc0$>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQF2pOMAEHj6tEKs9s8Af1VsoCYHA6KslJaw
X-Originating-IP: []
Archived-At: <>
Subject: Re: [OAUTH-WG] [Ace] New OAuth client credentials RPK and PSK
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 May 2017 20:33:16 -0000

How is this draft supposed to interact with draft-gerdes-ace-dtls-authorize?





From: Ace [] On Behalf Of Samuel Erdtman
Sent: Friday, May 12, 2017 1:03 AM
To: <>; <>;; ace <>;
Cc: Ludwig Seitz <>;
Subject: [Ace] New OAuth client credentials RPK and PSK


Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials,


We think this is valuable to the ACE work since the ACE framework is based on OAuth, but client credentials as defined in the OAuth framework are not the best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable credentials for embedded devices for the following reasons:

* Better security by binding to transport layer.

* If PSK DTLS is to be used a key need to be distributed any way, why not make use of it as credential.

* Client id and client secret accommodates for manual input by a humans. This does not scale well and requires some for of input device.

* Some/many devices will have crypto-hardware that can protect key material, to not use that possibility would be a waste.

* There are probably more reasons these was just the once on top of my head.


This is not the first resent initiative to create new client credential types, the OAuth WG adopted a similar draft for certificate based client credentials ( That work is also valuable to ACE but not all devices will be able to work with certificates or even asymmetric cryptos .

Please review and comment.