Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
Brian Campbell <bcampbell@pingidentity.com> Wed, 04 November 2015 22:48 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 1FC081B356F
for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 14:48:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001,
SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id oVgWEXpTBz4T for <oauth@ietfa.amsl.com>;
Wed, 4 Nov 2015 14:48:20 -0800 (PST)
Received: from mail-ig0-x229.google.com (mail-ig0-x229.google.com
[IPv6:2607:f8b0:4001:c05::229])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 6C8BA1B3566
for <oauth@ietf.org>; Wed, 4 Nov 2015 14:48:20 -0800 (PST)
Received: by igbdj2 with SMTP id dj2so46516435igb.1
for <oauth@ietf.org>; Wed, 04 Nov 2015 14:48:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=pingidentity.com; s=gmail;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc:content-type;
bh=qaFhZPX5HJWNEg5lqetUHscJENkW6X6Dhpmr18DHXe0=;
b=bz9GbfuzucLsCz+HFIQ+U3eO+GI0BbEvAXgdWrTO6xg662igds/D3UyjDAY8cdndYy
VT6dXzPbwQqjpLf3DACTgYsQi1QQsB/rbpC9SEpgQVjnHWYNb/W04TYof9hN1ty+RkFP
iCXh18GD2wfZZ6TJKXmiZS7IOYqORnimkcaVU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc:content-type;
bh=qaFhZPX5HJWNEg5lqetUHscJENkW6X6Dhpmr18DHXe0=;
b=e2NhqBxgKJdPv7fH1ZqwXcAsfFrEXxK+DAvr8qnFR+WL+bvRSvSRvejlJxSnXBPjzJ
TEwQBWlzdpYEdxLIMKMWWbbqSidMan6yfUTxqkCc28ySjE0VL7QE/xY35Avh2jKMpOe/
Uh19NNPP6WPIUtka+VEa0F6iYIX3rs3UNjZjOPpx4AVhMS6F6ldm8YEuqfibSqClLmNc
R3h2ALiwSiShsDauO+olqBxBooZEXFuqPJyH8zZLLBMGAuHLbb+taYP2UoEfLbH2oHJB
Zk3i9/T1SEZ92T9sf6Hs77Io1dD3qnSisRUNpB+baASgamrdj41UqODFoJsybR8IjthJ
R99w==
X-Gm-Message-State: ALoCoQlNdaJWjOuBU7qfQpBgneLRUxyrrUuEhYjbiDqe4TJvLAFtHUYvZ4tDVIYFW1GRLWPDvZw6
X-Received: by 10.50.47.70 with SMTP id b6mr6113366ign.57.1446677299782; Wed,
04 Nov 2015 14:48:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.117.132 with HTTP; Wed, 4 Nov 2015 14:47:50 -0800 (PST)
In-Reply-To: <BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442F6667C49F8CF260D504DF52A0@BY2PR03MB442.namprd03.prod.outlook.com>
<D2605993.2210B%kepeng.lkp@alibaba-inc.com>
<BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 4 Nov 2015 15:47:50 -0700
Message-ID: <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e0149bc2c8f2eec0523bece6b
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/QSDxPh6adFNzTgO-quHEzRemJbw>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec
addressing final shepherd comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 22:48:22 -0000
+1 for the diagrams making the document more understandable. One little nit/question, step 1 in both Symmetric and Asymmetric keys shows the Presenter sending the key to the Issuer. It's possible, however, for the key to be sent the other way. Presenter sending it to the Issuer is probably preferred for asymmetric, especially if the client can secure the private keys in hardware. But I don't know if one way or the other is clearly better for symmetric case and PoP key distribution currently has it the other way <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>. Should the intro text somehow mention the possibility that the Issuer could create the key and send it to the Presenter? I know it's only the introduction but it was just something that jumped out at me. <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2> On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Thanks for suggesting the diagrams, Kepeng. They make the document more > understandable. > > -- Mike > ------------------------------ > From: Kepeng Li <kepeng.lkp@alibaba-inc.com> > Sent: 11/5/2015 12:57 AM > To: Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org > Subject: Re: Proof-of-Possession Key Semantics for JWTs spec addressing > final shepherd comment > > Thank you Mike. > > The diagrams look good to me. > > Kind Regards > Kepeng > > 发件人: Mike Jones <Michael.Jones@microsoft.com> > 日期: Thursday, 5 November, 2015 12:32 am > 至: "oauth@ietf.org" <oauth@ietf.org> > 抄送: Li Kepeng <kepeng.lkp@alibaba-inc.com> > 主题: Proof-of-Possession Key Semantics for JWTs spec addressing final > shepherd comment > > Proof-of-Possession Key Semantics for JWTs draft -06 addresses the > remaining document shepherd comment – adding use case diagrams to the > introduction. > > > > The updated specification is available at: > > · > http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06 > > > > An HTML formatted version is also available at: > > · > https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html > > > > -- Mike > > > > P.S. This note was also posted at http://self-issued.info/?p=1471 and as > @selfissued <https://twitter.com/selfissued>. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Proof-of-Possession Key Semantics for … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kepeng Li
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Brian Campbell
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Hannes Tschofenig
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Justin Richer
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Justin Richer
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Chuck Mortimore
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kathleen Moriarty
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Brian Campbell
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kathleen Moriarty