IETF Logo Mail Archive

Re: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession

Mike Jones <Michael.Jones@microsoft.com> Tue, 11 August 2015 04:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8BF81ACD92 for <oauth@ietfa.amsl.com>; Mon, 10 Aug 2015 21:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjOEm78jewub for <oauth@ietfa.amsl.com>; Mon, 10 Aug 2015 21:17:09 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0765.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::765]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD3F1A01F0 for <oauth@ietf.org>; Mon, 10 Aug 2015 21:17:08 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.231.11; Tue, 11 Aug 2015 04:17:04 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0231.011; Tue, 11 Aug 2015 04:17:04 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Nat Sakimura <sakimura@gmail.com>, Justin Richer <jricher@mit.edu>
Thread-Topic: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession
Thread-Index: AQHQZpU8IgJqjygHb0Srh12683YxeJ4HCy1g
Date: Tue, 11 Aug 2015 04:17:04 +0000
Message-ID: <BY2PR03MB4423FBF166B5111249676C8F57F0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <6DA5408F-2E11-45AE-A190-1724958D7960@mit.edu> <CABzCy2BwEnh__mBveDgzBfkByhHjxpwK+mEG1vHJ+bY7kqQr4w@mail.gmail.com>
In-Reply-To: <CABzCy2BwEnh__mBveDgzBfkByhHjxpwK+mEG1vHJ+bY7kqQr4w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.95.140.212]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:x7cfB43Vijl1pNNYF6dnP4bXKoFlCLCxFpDJe0HpgcgdXYOmU9IQ0xxSpCSXMqYBmFAnB+OndogkElzTgJbuxbna1PqzQ3LCRz/JRppiNjb74gkZl3REAb2Z732clSxhoTHQlvqqxd3E4/HPOoqZgQ==; 24:wtO5Hf6/Zwttl+G0VO1Z1lrzDVv9dfhcLmf2AJO1vNtGaVrf2ma/kinwIlt04hmoFSwPGkvivwbt+/rpR3MEdfL3pGfI7wV6eNU5jsLqX1I=; 20:AndRrEx2XHyPgPszcYLzSFYyTmo6Sp3l8oDJw6n5GnSe0rWDfoPFyxRDu0/ikZZnhA/fjwkP57eAONJJoe8yEg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <BY2PR03MB4417916AF568B719E32221BF57F0@BY2PR03MB441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 066517B35B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(377424004)(199003)(377454003)(105586002)(10400500002)(2656002)(66066001)(76176999)(68736005)(5005710100001)(19580395003)(77096005)(122556002)(2950100001)(62966003)(5003600100002)(76576001)(74316001)(102836002)(54356999)(15975445007)(5002640100001)(40100003)(8990500004)(19580405001)(2900100001)(10290500002)(77156002)(86362001)(87936001)(5001770100001)(10090500001)(16236675004)(5001860100001)(106356001)(64706001)(50986999)(189998001)(230783001)(2171001)(106116001)(5001960100002)(19609705001)(97736004)(99286002)(5001830100001)(19617315012)(4001540100001)(19300405004)(33656002)(81156007)(101416001)(92566002)(19625215002)(86612001)(46102003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4423FBF166B5111249676C8F57F0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2015 04:17:04.0662 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/PiBI_SXtH91jqrZu9vOM2ZRfbtc>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 04:17:11 -0000

Hi Nat,

Per my response to Justin, the title and introduction were revised to address the confusion.  It did not introduce the term “Registered token”, since this isn’t standard terminology that I’m aware of, and would therefore likely cause more readability issues than it would solve.  Use of the “azp” (authorized party) claim is also now described in Section 3 of -03.

                                                            -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Tuesday, March 24, 2015 5:47 PM
To: Justin Richer
Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession

I tend to agree.

This document is describing the format of (subset of) what I have been calling as Registered token in contrast to a bearer token.

It is currently covering two types of registered token:
- key embedding
- key reference embedding

There can be other types such as
- authorized presenter ID embedding

etc. as well, in which case, you would have a top level member "azp" and no "cnf".

Perhaps a title change to something like "JWT registered token format" etc. may be a good idea.

Cheers,

Nat


2015-03-25 8:31 GMT+09:00 Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>>:
I believe that this draft is misnamed and therefore somewhat misleading: it’s fundamentally a method of protected key transmission using JWT, and not about proof of possession of that key. The proof is in simply using the key to create a JWT within an application (such as will be in draft-ietf-oauth-signed-http-request). Proof of possession of a key does not require the transmission of the key or a direct reference through the client via a data structure, and I don’t want to accidentally give the impression that one needs to use a structured token for proof of possession to work.

For instance, in an alternative approach, the AS can issue a random-blob token to the client along side the key value (as it’s done in this draft), and the client presents the random-blob token to the RS. The RS then looks up the information about the random-blob, using a local lookup or introspection or some other magic, to get the information that it needs. The client doesn’t need to know anything about it, as the token itself is opaque to the client.

That said, overall the structure and function of the draft is good for what it actually is. The client remains agnostic about what’s inside the token itself, as in regular OAuth. It gives semantic processing for an RS to process messages (of various types) signed by keys issued alongside these structured tokens.

I think this problem could be fixed by renaming the draft and rewriting the introduction.

 — Justin

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email