[OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 05 March 2015 08:59 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D14431B2AE4 for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 00:59:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.459
X-Spam-Status: No, score=-0.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_RP_RNBL=1.31, RCVD_IN_SBL=0.141, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2XTY6M0iyuQb for <oauth@ietfa.amsl.com>; Thu, 5 Mar 2015 00:59:10 -0800 (PST)
Received: from mout-xforward.gmx.net (mout-xforward.gmx.net []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65D421B2AE1 for <oauth@ietf.org>; Thu, 5 Mar 2015 00:59:10 -0800 (PST)
Received: from [] ([]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MGj8j-1YGXSU24LR-00DVTJ for <oauth@ietf.org>; Thu, 05 Mar 2015 09:59:07 +0100
Message-ID: <54F81ADA.3000203@gmx.net>
Date: Thu, 05 Mar 2015 09:59:06 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="lgdF91fvHiMHRqmwmUkMVI6t1p5KTjOpI"
X-Provags-ID: V03:K0:OiNoCtSs4UdjHlgnC8lj8nKndi2FEQJ9XSi+iCp51PTs4vmfLpN 0mo4kzEaTebG6AQBS8jw0QYdwTL6o6z/8xtkDlFq3AcO64y5ouQsCxSROAvXQVdE4LiWnIy 8DrYzcQQvyUFCdcGBklz7lIJ2FNdWASelrgq5dikEPBUZFQGyBJzwKtddY1VQpzZJoQDji8 hZpkjvGlO3OI1kDosiKFA==
X-UI-Out-Filterresults: junk:10;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Aw_Zedxz3MQouoh3Vhil30StHuQ>
Subject: [OAUTH-WG] draft-ietf-oauth-pop-key-distribution-01 and Open Issues
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 08:59:12 -0000

Hi all,

I refreshed the PoP key distribution document. No changes to the
content of the document.

The document contains two questions, namely

QUESTION: A benefit of asymmetric cryptography is to allow clients to
   request a PoP token for use with multiple resource servers.  The
   downside of that approach is linkability since different resource
   servers will be able to link individual requests to the same client.
   (The same is true if the a single public key is linked with PoP
   tokens used with different resource servers.)  Nevertheless, to
   support the functionality the audience parameter could carry an array
   of values.  Is this desirable?

Hannes: My view is that we do not want to introduce likability into
OAuth via the use of these keys. As such, different keys for different

QUESTION: Should we register the token_type and alg parameters for use
with the dynamic client registration protocol?

Hannes: I believe we should register these two parameters into the
dynamic client registration protocol since that allows us to configure
the values for the client rather than exchanging them with every message.

Feedback appreciated before the submission deadline.