IETF Logo Mail Archive

Re: [OAUTH-WG] Holder-of-the-Key for OAuth

Anthony Nadalin <tonynad@microsoft.com> Mon, 09 July 2012 21:17 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E22D611E81FB for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 14:17:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.667
X-Spam-Level:
X-Spam-Status: No, score=-0.667 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlH0XxxawbPC for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 14:17:40 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe003.messaging.microsoft.com [216.32.180.186]) by ietfa.amsl.com (Postfix) with ESMTP id 4513311E81EF for <oauth@ietf.org>; Mon, 9 Jul 2012 14:17:40 -0700 (PDT)
Received: from mail166-co1-R.bigfish.com (10.243.78.241) by CO1EHSOBE005.bigfish.com (10.243.66.68) with Microsoft SMTP Server id 14.1.225.23; Mon, 9 Jul 2012 21:15:49 +0000
Received: from mail166-co1 (localhost [127.0.0.1]) by mail166-co1-R.bigfish.com (Postfix) with ESMTP id CD05B1C00CE for <oauth@ietf.org>; Mon, 9 Jul 2012 21:15:48 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -20
X-BigFish: VS-20(z1725nz98dI9371I148cI542M1432Izz1202h1082kzz1033IL8275dhz2fh2a8h683h839h944hd25hf0ah107ah)
Received-SPF: pass (mail166-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail166-co1 (localhost.localdomain [127.0.0.1]) by mail166-co1 (MessageSwitch) id 1341868546845266_5191; Mon, 9 Jul 2012 21:15:46 +0000 (UTC)
Received: from CO1EHSMHS024.bigfish.com (unknown [10.243.78.226]) by mail166-co1.bigfish.com (Postfix) with ESMTP id CCBA58C0048 for <oauth@ietf.org>; Mon, 9 Jul 2012 21:15:46 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS024.bigfish.com (10.243.66.34) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 9 Jul 2012 21:15:46 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.2.309.3; Mon, 9 Jul 2012 21:17:44 +0000
Received: from mail79-co1-R.bigfish.com (10.243.78.248) by CO1EHSOBE016.bigfish.com (10.243.66.79) with Microsoft SMTP Server id 14.1.225.23; Mon, 9 Jul 2012 21:15:27 +0000
Received: from mail79-co1 (localhost [127.0.0.1]) by mail79-co1-R.bigfish.com (Postfix) with ESMTP id 2346CDC00B8 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 9 Jul 2012 21:15:27 +0000 (UTC)
Received: from mail79-co1 (localhost.localdomain [127.0.0.1]) by mail79-co1 (MessageSwitch) id 1341868524767219_14284; Mon, 9 Jul 2012 21:15:24 +0000 (UTC)
Received: from CO1EHSMHS006.bigfish.com (unknown [10.243.78.254]) by mail79-co1.bigfish.com (Postfix) with ESMTP id AF874C80044; Mon, 9 Jul 2012 21:15:24 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by CO1EHSMHS006.bigfish.com (10.243.66.16) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 9 Jul 2012 21:15:24 +0000
Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.12.220]) by BL2PRD0310HT002.namprd03.prod.outlook.com ([10.255.97.37]) with mapi id 14.16.0164.004; Mon, 9 Jul 2012 21:17:33 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Holder-of-the-Key for OAuth
Thread-Index: AQHNXf7R8o8oKGDddUekOoP+IJtc+pchTCgQgAADZYCAAATKkA==
Date: Mon, 09 Jul 2012 21:17:33 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E74F97AECB@BL2PRD0310MB362.namprd03.prod.outlook.com>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F979CF1@BL2PRD0310MB362.namprd03.prod.outlook.com> <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net>
In-Reply-To: <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.174.57]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT002.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 21:17:41 -0000

> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits.

We have use cases for asymmetric, symmetric and for nonce (entropy), and thus would have to distinguish between these types requested and returned. Also do you always see the proof token being embedded in the message or also part of the auth code?

-----Original Message-----
From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 
Sent: Monday, July 09, 2012 12:05 PM
To: Anthony Nadalin
Cc: Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth

Hi Tony, 

I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. 

Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. 

Ciao
Hannes

On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote:

> Hannes, thanks for drafting this, couple of comments:
> 
> 1. HOK is one of Proof of Possession methods, should we consider others?
> 2. This seems just to handle asymmetric keys, need to also handle symmetric keys
> 
> 
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Monday, July 09, 2012 11:15 AM
> To: OAuth WG
> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth
> 
> Hi guys, 
> 
> today I submitted a short document that illustrates the concept of holder-of-the-key for OAuth. 
> Here is the document: 
> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk
> 
> Your feedback is welcome 
> 
> Ciao
> Hannes
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email