IETF Logo Mail Archive

Re: [OAUTH-WG] Holder-of-the-Key for OAuth

Anthony Nadalin <tonynad@microsoft.com> Tue, 10 July 2012 16:36 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE8F211E8197 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:36:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.643
X-Spam-Level:
X-Spam-Status: No, score=-0.643 tagged_above=-999 required=5 tests=[AWL=-0.176, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9WMvOzbFou60 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:36:30 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id D9C5111E80CE for <oauth@ietf.org>; Tue, 10 Jul 2012 09:36:29 -0700 (PDT)
Received: from mail195-ch1-R.bigfish.com (10.43.68.225) by CH1EHSOBE007.bigfish.com (10.43.70.57) with Microsoft SMTP Server id 14.1.225.23; Tue, 10 Jul 2012 16:34:37 +0000
Received: from mail195-ch1 (localhost [127.0.0.1]) by mail195-ch1-R.bigfish.com (Postfix) with ESMTP id A173BC00B0 for <oauth@ietf.org>; Tue, 10 Jul 2012 16:34:37 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -21
X-BigFish: VS-21(z1725nz98dI9371I936eI148cI542M1432Izz1202h1082kzz1033IL8275dhz2fh2a8h683h839h944hd25hf0ah107ah)
Received-SPF: pass (mail195-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail195-ch1 (localhost.localdomain [127.0.0.1]) by mail195-ch1 (MessageSwitch) id 134193807516917_1408; Tue, 10 Jul 2012 16:34:35 +0000 (UTC)
Received: from CH1EHSMHS011.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.232]) by mail195-ch1.bigfish.com (Postfix) with ESMTP id ED13B3C004A for <oauth@ietf.org>; Tue, 10 Jul 2012 16:34:34 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS011.bigfish.com (10.43.70.11) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 10 Jul 2012 16:34:33 +0000
Received: from db3outboundpool.messaging.microsoft.com (157.54.51.81) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.2.298.5; Tue, 10 Jul 2012 16:36:51 +0000
Received: from mail120-db3-R.bigfish.com (10.3.81.227) by DB3EHSOBE006.bigfish.com (10.3.84.26) with Microsoft SMTP Server id 14.1.225.23; Tue, 10 Jul 2012 16:34:29 +0000
Received: from mail120-db3 (localhost [127.0.0.1]) by mail120-db3-R.bigfish.com (Postfix) with ESMTP id D87EC1001C1 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 10 Jul 2012 16:34:29 +0000 (UTC)
Received: from mail120-db3 (localhost.localdomain [127.0.0.1]) by mail120-db3 (MessageSwitch) id 1341938068661425_15823; Tue, 10 Jul 2012 16:34:28 +0000 (UTC)
Received: from DB3EHSMHS004.bigfish.com (unknown [10.3.81.253]) by mail120-db3.bigfish.com (Postfix) with ESMTP id 940CA3A0277; Tue, 10 Jul 2012 16:34:28 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by DB3EHSMHS004.bigfish.com (10.3.87.104) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 10 Jul 2012 16:34:27 +0000
Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.12.220]) by BL2PRD0310HT002.namprd03.prod.outlook.com ([10.255.97.37]) with mapi id 14.16.0164.004; Tue, 10 Jul 2012 16:36:28 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Holder-of-the-Key for OAuth
Thread-Index: AQHNXf7R8o8oKGDddUekOoP+IJtc+pchTCgQgAADZYCAAQNmAIAAQKzAgAAd1oCAAAah4A==
Date: Tue, 10 Jul 2012 16:36:27 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E74F97B438@BL2PRD0310MB362.namprd03.prod.outlook.com>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F979CF1@BL2PRD0310MB362.namprd03.prod.outlook.com> <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net> <C433DCE1-3015-4442-9DD0-A5228415D6C0@ve7jtb.com> <B26C1EF377CB694EAB6BDDC8E624B6E74F97B2E2@BL2PRD0310MB362.namprd03.prod.outlook.com> <6D7E3A30-873A-41DD-8ADA-A3334E023576@gmx.net>
In-Reply-To: <6D7E3A30-873A-41DD-8ADA-A3334E023576@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.174.57]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT002.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VE7JTB.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 16:36:30 -0000

The key does not have to be bound to the channel, that is just one option, the key can be a negotiated key

-----Original Message-----
From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 
Sent: Tuesday, July 10, 2012 9:12 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; John Bradley; OAuth WG
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth

If we do not bind the key to the channel than we will run into all sorts of problems. The current MAC specification illustrates that quite nicely. On top of that you can re-use the established security channel for the actual data exchange. 

On Jul 10, 2012, at 5:29 PM, Anthony Nadalin wrote:

>> One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth,  or something OAuth specific.    The answer may be a combined approach.
> 
> Depends if we want OAuth to support the concept of a request/response for a proof token and keep the actual binding for a separate specification, in most of our cases the keying material is opaque (and just a blob), where we care about the key material  is in the key agreement (entropy) cases.
> 
> -----Original Message-----
> From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
> Sent: Tuesday, July 10, 2012 3:34 AM
> To: Hannes Tschofenig
> Cc: Anthony Nadalin; OAuth WG
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
> 
> I agree that there are use-cases for all of the proof of possession mechanisms.
> 
> Presentment methods also need to be considered.   
> 
> TLS client auth may not always be the best option.  Sometimes message signing is more appropriate.
> 
> One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth,  or something OAuth specific.    The answer may be a combined approach.
> 
> I think this is a good start to get discussion going.
> 
> John B.
> On 2012-07-09, at 3:05 PM, Hannes Tschofenig wrote:
> 
>> Hi Tony, 
>> 
>> I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. 
>> 
>> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. 
>> 
>> Ciao
>> Hannes
>> 
>> On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote:
>> 
>>> Hannes, thanks for drafting this, couple of comments:
>>> 
>>> 1. HOK is one of Proof of Possession methods, should we consider others?
>>> 2. This seems just to handle asymmetric keys, need to also handle symmetric keys
>>> 
>>> 
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
>>> Sent: Monday, July 09, 2012 11:15 AM
>>> To: OAuth WG
>>> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth
>>> 
>>> Hi guys, 
>>> 
>>> today I submitted a short document that illustrates the concept of holder-of-the-key for OAuth. 
>>> Here is the document: 
>>> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk
>>> 
>>> Your feedback is welcome 
>>> 
>>> Ciao
>>> Hannes
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email