Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
Mike Jones <Michael.Jones@microsoft.com> Thu, 03 April 2014 18:32 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B5B1A0245 for <oauth@ietfa.amsl.com>; Thu, 3 Apr 2014 11:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8o67wPikx_DB for <oauth@ietfa.amsl.com>; Thu, 3 Apr 2014 11:32:40 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0187.outbound.protection.outlook.com [207.46.163.187]) by ietfa.amsl.com (Postfix) with ESMTP id 8639C1A028D for <oauth@ietf.org>; Thu, 3 Apr 2014 11:32:35 -0700 (PDT)
Received: from BY2PR03CA046.namprd03.prod.outlook.com (10.141.249.19) by BY2PR03MB028.namprd03.prod.outlook.com (10.255.240.42) with Microsoft SMTP Server (TLS) id 15.0.913.9; Thu, 3 Apr 2014 18:32:28 +0000
Received: from BL2FFO11FD041.protection.gbl (2a01:111:f400:7c09::104) by BY2PR03CA046.outlook.office365.com (2a01:111:e400:2c5d::19) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Thu, 3 Apr 2014 18:32:28 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD041.mail.protection.outlook.com (10.173.161.137) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Thu, 3 Apr 2014 18:32:28 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0174.002; Thu, 3 Apr 2014 18:31:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
Thread-Index: AQHPT1olpQMLkHf4/kC3w3flBp/HH5sAF2eAgAABEICAABi7AIAABazQ
Date: Thu, 03 Apr 2014 18:31:52 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A139FC3@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com> <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com> <533D8CA3.6070005@oracle.com> <533D8E5F.8000600@redhat.com> <6BE94541-2DAA-4CDA-8478-E1BF99480629@oracle.com> <A3F617B5-BD1F-4A8F-8A46-2DD5D0FBF4F8@ve7jtb.com>
In-Reply-To: <A3F617B5-BD1F-4A8F-8A46-2DD5D0FBF4F8@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A139FC3TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377424004)(189002)(199002)(377454003)(24454002)(479174003)(81542001)(15974865002)(86362001)(512954002)(98676001)(97736001)(47976001)(74706001)(79102001)(74502001)(74876001)(94316002)(92726001)(81816001)(71186001)(15188155005)(93516002)(93136001)(47446002)(77982001)(15395725003)(47736001)(81342001)(44976005)(76482001)(85852003)(56776001)(55846006)(56816005)(6806004)(15975445006)(54316002)(83072002)(19580405001)(84676001)(76786001)(2009001)(15202345003)(83322001)(59766001)(87936001)(33656001)(92566001)(63696002)(2656002)(81686001)(85806002)(4396001)(86612001)(95416001)(80976001)(49866001)(90146001)(31966008)(77096001)(53806001)(54356001)(74366001)(97336001)(80022001)(76796001)(66066001)(69226001)(19300405004)(14971765001)(95666003)(16297215004)(50986001)(19580395003)(74662001)(99396002)(85306002)(97186001)(84326002)(46102001)(65816001)(87266001)(51856001)(19623215001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB028; H:mail.microsoft.com; FPR:A84FFD3D.ACF677CC.B7C37F4B.52E4C9B1.20471; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0170DAF08C
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/GUX4ofcXnYHewNMvC7FWdFuUT0E
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Apr 2014 18:32:44 -0000
I agree with what John wrote below. Besides, PoP is more natural to say than HoK and certainly more natural to say than HOTK. I'd like us to stay with the term Proof-of-Possession (PoP). -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Thursday, April 03, 2014 11:10 AM To: Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt Some people and specs associate holder of key with asymmetric keys. Proof of possession is thought to be a broader category including symmetric and key agreement eg http://tools.ietf.org/html/rfc2875. NIST defines the term PoP Protocol http://fismapedia.org/index.php?title=Term:Proof_of_Possession_Protocol In SAML the saml:SubjectConfirmation method is called urn:oasis:names:tc:SAML:2.0:cm:holder-of-key In WS* the term proof of possession is more common. So I think for this document as an overview "Proof of Possession (PoP) Architecture" is fine. John B. On Apr 3, 2014, at 12:41 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote: What was wrong with HOK? Aside: Why was "the" so important in HOTK? Phil @independentid www.independentid.com<http://www.independentid.com/> phil.hunt@oracle.com<mailto:phil.hunt@oracle.com> On Apr 3, 2014, at 9:37 AM, Anil Saldhana <Anil.Saldhana@redhat.com<mailto:Anil.Saldhana@redhat.com>> wrote: Prateek, why not just use "proof"? draft-hunt-oauth-proof-architecture-00.txt Is that allowed by IETF? Regards, Anil On 04/03/2014 11:30 AM, Prateek Mishra wrote: "key confirmed" or "key confirmation" is another term that is widely used for these use-cases I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with POP. HOTK has the advantage of not being a homonym for aything else. What about "Possession Proof"? -bill -------------------------------- William J. Mills "Paranoid" MUX Yahoo! On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org"<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org><mailto:internet-drafts@ietf.org> wrote: A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt has been successfully submitted by Hannes Tschofenig and posted to the IETF repository. Name: draft-hunt-oauth-pop-architecture Revision: 00 Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture Document date: 2014-04-03 Group: Individual Submission Pages: 21 URL: http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt Status: https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/ Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 Abstract: The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must to be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>. The IETF Secretariat _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] New Version Notification for draft… Prateek Mishra
- Re: [OAUTH-WG] New Version Notification for draft… Anil Saldhana
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Bill Mills
- Re: [OAUTH-WG] New Version Notification for draft… Thomas Hardjono
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin