Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

Mike Jones <Michael.Jones@microsoft.com> Thu, 05 November 2015 01:45 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E961B362D for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 17:45:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aRtr6AnD5hSU for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 17:45:13 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0795.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::795]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D16A11B3645 for <oauth@ietf.org>; Wed, 4 Nov 2015 17:45:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fUzJpv0yM21ddue73aw9beExVb2rxwLkNDJBpNZKxs4=; b=Zi3unwdSkrLhwxYE2voMcgqptFogxj4oHEj5vMtNG3vBQYDHT4iV0p9yo1EchQH0wGWf8ojuBZh8tNWma771tSpozaBZlVMRIzep7RljWIpbYCy0/4hM2tz23LhA3F2SjpUCIN46K2jTfwadTbbqpZ/ymcatoMbUQMyC2W4253A=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.318.15; Thu, 5 Nov 2015 01:44:49 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0318.003; Thu, 5 Nov 2015 01:44:49 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
Thread-Index: AdEXFgZ+9CN0zPNjS1iUuZ0RolJO4QAA29mAAAA+4ZAADhjrAAAADBnAAANhSAAAArrysA==
Date: Thu, 5 Nov 2015 01:44:49 +0000
Message-ID: <BY2PR03MB442144436FD01E6FDD0595EF5290@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442F6667C49F8CF260D504DF52A0@BY2PR03MB442.namprd03.prod.outlook.com> <D2605993.2210B%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com> <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <563AA216.5010109@gmx.net>
In-Reply-To: <563AA216.5010109@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [115.125.248.66]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:D4LZ4jtkQ8k9oe8YudFy6ozQb4TVmfdrDmYwpdUmYfcjfaXHJ8l3hYDSqcRfNuKMrnm5zJKyKKtRhYSTW5nqQ2/OCXJQR7V5VavbmmjnSrnJgo8pZ3DwJ6gcDJwEOuTBCYnnr3NkVc1rzxl/2T+tHA==; 24:D2ElS+1FAOiz+nvGEgM9hxUx4pfuRslpFvECzbVB63EHMcr88bHEPYKeOa80r2rafqvqSqYI5P4opWOod8iodW39+RVuUtc7Vm3ChnLs9fo=; 20:EpKrQ6BU9IvQheJuifARvX3PVU3dxkZWX7iSzT1Ncs71vieIDHRir2SVlfVJPIleBQIgDI6gWSLda+3RG1hTmg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <BY2PR03MB44384F414F97319A78B046EF5290@BY2PR03MB443.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(8121501046)(520078)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0751474A44
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(209900001)(189002)(377454003)(199003)(479174004)(13464003)(24454002)(51914003)(71364002)(52604005)(102836002)(93886004)(5008740100001)(1720100001)(87936001)(230783001)(122556002)(5004730100002)(77096005)(5007970100001)(2900100001)(2950100001)(11100500001)(40100003)(101416001)(66066001)(76576001)(15975445007)(19580395003)(19580405001)(74316001)(86362001)(50986999)(33656002)(106356001)(76176999)(54356999)(105586002)(86612001)(97736004)(99286002)(5001770100001)(5001960100002)(5001920100001)(5002640100001)(10400500002)(5005710100001)(10290500002)(81156007)(8990500004)(189998001)(10090500001)(5003600100002)(92566002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2015 01:44:49.7292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/B-DLwLP_LU3qnDQe6UI2CU1ae_c>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 01:45:16 -0000

Good point.  I'll republish in the next day or so adding that to the security considerations.

				-- Mike

-----Original Message-----
From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 
Sent: Thursday, November 05, 2015 9:26 AM
To: Mike Jones; Brian Campbell
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

I agree that the effect is the same. From a security point of view there is only an impact if one of the two parties is in a better position to generate random numbers, which is the basis for generating a high entropy symmetric key.

On 11/04/2015 11:51 PM, Mike Jones wrote:
> Thanks for the detailed read, Brian.  You’re right that in the 
> symmetric case, either the issuer or the presenter can create the 
> symmetric PoP key and share it with the other party, since the effect is equivalent.
> I suspect that both the key distribution draft and this draft should 
> be updated with a sentence or two saying that either approach can be 
> taken.  Do others concur?
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> *From:*Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Thursday, November 05, 2015 7:48 AM
> *To:* Mike Jones
> *Cc:* Kepeng Li; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs 
> spec addressing final shepherd comment
> 
>  
> 
> +1 for the diagrams making the document more understandable.
> 
> One little nit/question, step 1 in both Symmetric and Asymmetric keys 
> shows the Presenter sending the key to the Issuer. It's possible, 
> however, for the key to be sent the other way. Presenter sending it to 
> the Issuer is probably preferred for asymmetric, especially if the 
> client can secure the private keys in hardware. But I don't know if 
> one way or the other is clearly better for symmetric case and PoP key 
> distribution currently has it the other way 
> <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>.
> Should the intro text somehow mention the possibility that the Issuer 
> could create the key and send it to the Presenter?
> 
> I know it's only the introduction but it was just something that 
> jumped out at me.
> 
>  
> 
>  
> 
> On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones 
> <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
> 
> Thanks for suggesting the diagrams, Kepeng. They make the document 
> more understandable.
> 
> -- Mike
> 
> ----------------------------------------------------------------------
> --
> 
> *From: *Kepeng Li <mailto:kepeng.lkp@alibaba-inc.com>
> *Sent: *‎11/‎5/‎2015 12:57 AM
> *To: *Mike Jones <mailto:Michael.Jones@microsoft.com>; oauth@ietf.org 
> <mailto:oauth@ietf.org>
> *Subject: *Re: Proof-of-Possession Key Semantics for JWTs spec 
> addressing final shepherd comment
> 
> Thank you Mike.
> 
>  
> 
> The diagrams look good to me.
> 
>  
> 
> Kind Regards
> 
> Kepeng
> 
>  
> 
> *发件人**: *Mike Jones <Michael.Jones@microsoft.com 
> <mailto:Michael.Jones@microsoft.com>>
> *日期**: *Thursday, 5 November, 2015 12:32 am
> *至**: *"oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org 
> <mailto:oauth@ietf.org>>
> *抄送**: *Li Kepeng <kepeng.lkp@alibaba-inc.com 
> <mailto:kepeng.lkp@alibaba-inc.com>>
> *主题**: *Proof-of-Possession Key Semantics for JWTs spec addressing 
> final shepherd comment
> 
>  
> 
> Proof-of-Possession Key Semantics for JWTs draft -06 addresses the 
> remaining document shepherd comment – adding use case diagrams to the 
> introduction.
> 
>  
> 
> The updated specification is available at:
> 
> ·        http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06
> 
>  
> 
> An HTML formatted version is also available at:
> 
> ·       
> https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.
> html
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> P.S.  This note was also posted at http://self-issued.info/?p=1471 and 
> as @selfissued <https://twitter.com/selfissued>.
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org> 
> https://www.ietf.org/mailman/listinfo/oauth
> 
>  
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>