Göran Selander <> Wed, 07 February 2018 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 36FBE1243FE for <>; Wed, 7 Feb 2018 08:00:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.815
X-Spam-Status: No, score=-2.815 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6Am3iURso6QF for <>; Wed, 7 Feb 2018 08:00:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E2E51201F8 for <>; Wed, 7 Feb 2018 08:00:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256;; s=mailgw201801; c=relaxed/simple; q=dns/txt;; t=1518019245; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ytjY7qncmON8Y0P2IKeH/YV1kgqrPfcKC8ok7y8oP7A=; b=NS53EOrWJstYY8gGmt/2s4SVcsNan7ClMZfHGLvpj7dDK05F2lOQirSep9ZVTfWu BOH6qtbuoUsUlaTM2e7p+V7yujz8+uIonrbC2xAlYNgEFq8nuJdxr2zNMBmkiB36 alsIv515tDI9V2PiB4WorglqtYyQ82c9Lvw/CVD5/fE=;
X-AuditID: c1b4fb3a-347ff700000067b4-fc-5a7b22adc7f0
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id BC.E8.26548.DA22B7A5; Wed, 7 Feb 2018 17:00:45 +0100 (CET)
Received: from ([]) by ([]) with mapi id 14.03.0352.000; Wed, 7 Feb 2018 17:00:01 +0100
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <>
To: Hannes Tschofenig <>, "" <>, Dave Thaler <>
CC: "" <>
Thread-Topic: [OAUTH-WG] OSCORE
Thread-Index: AQHToB1G/bi42x7glEW+yKQQZgyBfqOZAgKAgAADAICAAANpAA==
Date: Wed, 7 Feb 2018 16:00:00 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLIsWRmVeSWpSXmKPExsUyM2K7ve5apeoog54PmhbT/p1hsbi04gir xc0Zp5gsTr59xebA4rFm3hpGjyVLfjJ5tO74yx7AHMVlk5Kak1mWWqRvl8CV8XTbX8aCVyoV 94/eY2tg/KDcxcjJISFgIvF6+im2LkYuDiGBw4wS9ybOYIZwFjNKrHp2kR2kik3AReJBwyMm EFtEoFri8puvjCA2s0C0xLV5DUBxDg5hATmJRb2RECXyEkfWP2SDsJ0kDk1+ygZSwiKgInHp mRxImFfAQmL7qSlQq6YySayefABsPKdAosT805NYQWxGATGJ76fWMEGsEpe49WQ+E8TRAhJL 9pxnhrBFJV4+/gdWLyqgJ7G3p50NIq4ksWL7JUaQvcwCmhLrd+lDjLGW+Hf/MTuErSgxpfsh O8Q9ghInZz5hmcAoPgvJtlkI3bOQdM9C0j0LSfcCRtZVjKLFqcXFuelGRnqpRZnJxcX5eXp5 qSWbGIGReHDLb6sdjAefOx5iFOBgVOLhNQRGqBBrYllxZe4hRgkOZiURXnd2oBBvSmJlVWpR fnxRaU5q8SFGaQ4WJXFepzSLKCGB9MSS1OzU1ILUIpgsEwenVANj0fF/u6YIHXykVhjZrqBa eXFyqM+VnYaNbDOiSjbzlS1mrLzqm1h3/MSNVQaZXk/uLTZ2OzLt3tn0SLFaxUXbzvQc93O4 8/KCVI80R+rBDt9be79M2rqgPb/E6UxAbmfzFVb2oD8+vufif/xfamj8ZVVf0Yb7u7Yc/Lth amPb5HZf0WPXl5wIVGIpzkg01GIuKk4EAOyhZgTAAgAA
Archived-At: <>
Subject: Re: [OAUTH-WG] OSCORE
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Feb 2018 16:00:51 -0000

Hi Hannes,

Including Dave who may want to provide some background to the use case.

As I said, this was a proposed construction and was straightforward to
include in the draft. I’m not the right person to answer whether this is
useful for OAuth, but I’m interested in the answer.


On 2018-02-07 15:47, "Hannes Tschofenig" <> wrote:

>Hi Göran,
>Maybe you can then answer the question whether this is useful /
>applicable to a HTTP. Asked differently, under what conditions does the
>OSCORE not work for HTTP. This would help the folks in the group,
>including me, to determine whether this actually something we should be
>looking into at all. Note that typical applications that use OAuth do not
>use CoAP -- only HTTP.
>In OAuth we had for several years tried to get HTTP message protection
>working and we have, unfortunately, failed to find a suitable solution.
>-----Original Message-----
>From: Göran Selander []
>Sent: 07 February 2018 15:37
>To: Hannes Tschofenig;
>Hi Hannes, and all
>Thanks for the announcement.
>To be a little bit more precise, the statement is that a CoAP-mappable
>HTTP message can be mapped to CoAP (using RFC 8075), protected with
>OSCORE (as specified in the referenced draft) and transported with HTTP
>(as exemplified in the referenced draft). The main use case is in
>conjunction with an HTTP-CoAP translational proxy (RFC 8075), and the
>mapping would with this construction result in a CoAP-mappable HTTP
>request being protected by an HTTP client and verified by a CoAP server.
>This functionality was proposed by OCF for their end-to-end REST use
>cases. Happy to hear any comments on the construction as described in the
>Note that Hannes referenced the wrong version of the draft, here is the
>On 2018-02-07 11:06, Hannes Tschofenig wrote:
>> Hi guys,
>> You may be interested to hear that a group of people working on
>> Internet of Things security believe they have found a solution to deal
>> with the challenges we had in protecting HTTP requests/responses.
>> Here is the draft:
>> (The draft is mostly focused on CoAP but it is supposed to be
>> applicable also to HTTP.)
>> Ciao
>> Hannes
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose
>> the contents to any other person, use it for any purpose, or store or
>> copy the information in any medium. Thank you.
>> _______________________________________________
>> OAuth mailing list
>IMPORTANT NOTICE: The contents of this email and any attachments are
>confidential and may also be privileged. If you are not the intended
>recipient, please notify the sender immediately and do not disclose the
>contents to any other person, use it for any purpose, or store or copy
>the information in any medium. Thank you.