Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Anthony Nadalin <tonynad@microsoft.com> Tue, 10 July 2012 17:01 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62FD421F8690 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 10:01:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.634
X-Spam-Level:
X-Spam-Status: No, score=-0.634 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJdqV+9JRTRX for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 10:01:57 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe004.messaging.microsoft.com [216.32.180.187]) by ietfa.amsl.com (Postfix) with ESMTP id 3C53021F865A for <oauth@ietf.org>; Tue, 10 Jul 2012 10:01:57 -0700 (PDT)
Received: from mail192-co1-R.bigfish.com (10.243.78.241) by CO1EHSOBE005.bigfish.com (10.243.66.68) with Microsoft SMTP Server id 14.1.225.23; Tue, 10 Jul 2012 17:00:05 +0000
Received: from mail192-co1 (localhost [127.0.0.1]) by mail192-co1-R.bigfish.com (Postfix) with ESMTP id 46805480203 for <oauth@ietf.org>; Tue, 10 Jul 2012 17:00:05 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -21
X-BigFish: VS-21(z1725nz98dI9371I936eI148cI542M1432Izz1202h1082kzz8275ch1033IL8275dhz2fh2a8h683h839h944hd25hf0ah107ah)
Received-SPF: pass (mail192-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail192-co1 (localhost.localdomain [127.0.0.1]) by mail192-co1 (MessageSwitch) id 1341939603617274_27107; Tue, 10 Jul 2012 17:00:03 +0000 (UTC)
Received: from CO1EHSMHS009.bigfish.com (unknown [10.243.78.239]) by mail192-co1.bigfish.com (Postfix) with ESMTP id 8B7DB340044 for <oauth@ietf.org>; Tue, 10 Jul 2012 17:00:03 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS009.bigfish.com (10.243.66.19) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 10 Jul 2012 16:59:59 +0000
Received: from CH1EHSOBE010.bigfish.com (157.54.51.81) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.2.298.5; Tue, 10 Jul 2012 17:02:07 +0000
Received: from mail256-ch1-R.bigfish.com (10.43.68.247) by CH1EHSOBE010.bigfish.com (10.43.70.60) with Microsoft SMTP Server id 14.1.225.23; Tue, 10 Jul 2012 16:59:10 +0000
Received: from mail256-ch1 (localhost [127.0.0.1]) by mail256-ch1-R.bigfish.com (Postfix) with ESMTP id D26FE1A402C5 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 10 Jul 2012 16:59:09 +0000 (UTC)
Received: from mail256-ch1 (localhost.localdomain [127.0.0.1]) by mail256-ch1 (MessageSwitch) id 1341939547649447_24029; Tue, 10 Jul 2012 16:59:07 +0000 (UTC)
Received: from CH1EHSMHS022.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.236]) by mail256-ch1.bigfish.com (Postfix) with ESMTP id 9CDDBFC0045; Tue, 10 Jul 2012 16:59:07 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS022.bigfish.com (10.43.70.22) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 10 Jul 2012 16:59:07 +0000
Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.12.220]) by BL2PRD0310HT005.namprd03.prod.outlook.com ([10.255.97.40]) with mapi id 14.16.0152.000; Tue, 10 Jul 2012 17:01:25 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Holder-of-the-Key for OAuth
Thread-Index: AQHNXf7R8o8oKGDddUekOoP+IJtc+pchTCgQgAADZYCAAQNmAIAAQKzAgAAd1oCAAAvlAIAAAbiQ
Date: Tue, 10 Jul 2012 17:01:24 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E74F97B4C1@BL2PRD0310MB362.namprd03.prod.outlook.com>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F979CF1@BL2PRD0310MB362.namprd03.prod.outlook.com> <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net> <C433DCE1-3015-4442-9DD0-A5228415D6C0@ve7jtb.com> <B26C1EF377CB694EAB6BDDC8E624B6E74F97B2E2@BL2PRD0310MB362.namprd03.prod.outlook.com> <6D7E3A30-873A-41DD-8ADA-A3334E023576@gmx.net> <397384FE-394C-4C4B-8962-56E4F86579C1@ve7jtb.com>
In-Reply-To: <397384FE-394C-4C4B-8962-56E4F86579C1@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.174.57]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT005.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%VE7JTB.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 17:01:58 -0000
> Binding the key to the channel is arguably the most secure Not really, there are hardware options that give good security properties -----Original Message----- From: John Bradley [mailto:ve7jtb@ve7jtb.com] Sent: Tuesday, July 10, 2012 9:55 AM To: Hannes Tschofenig Cc: Anthony Nadalin; Hannes Tschofenig; OAuth WG Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth Binding the key to the channel is arguably the most secure. SSL offloading and other factors may prevent that from working in all cases. I suspect that we will need two OAuth bindings. One for TLS and one for signed message. John B. Sent from my iPhone On 2012-07-10, at 12:11 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > If we do not bind the key to the channel than we will run into all sorts of problems. The current MAC specification illustrates that quite nicely. On top of that you can re-use the established security channel for the actual data exchange. > > On Jul 10, 2012, at 5:29 PM, Anthony Nadalin wrote: > >>> One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth, or something OAuth specific. The answer may be a combined approach. >> >> Depends if we want OAuth to support the concept of a request/response for a proof token and keep the actual binding for a separate specification, in most of our cases the keying material is opaque (and just a blob), where we care about the key material is in the key agreement (entropy) cases. >> >> -----Original Message----- >> From: John Bradley [mailto:ve7jtb@ve7jtb.com] >> Sent: Tuesday, July 10, 2012 3:34 AM >> To: Hannes Tschofenig >> Cc: Anthony Nadalin; OAuth WG >> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth >> >> I agree that there are use-cases for all of the proof of possession mechanisms. >> >> Presentment methods also need to be considered. >> >> TLS client auth may not always be the best option. Sometimes message signing is more appropriate. >> >> One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth, or something OAuth specific. The answer may be a combined approach. >> >> I think this is a good start to get discussion going. >> >> John B. >> On 2012-07-09, at 3:05 PM, Hannes Tschofenig wrote: >> >>> Hi Tony, >>> >>> I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. >>> >>> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. >>> >>> Ciao >>> Hannes >>> >>> On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: >>> >>>> Hannes, thanks for drafting this, couple of comments: >>>> >>>> 1. HOK is one of Proof of Possession methods, should we consider others? >>>> 2. This seems just to handle asymmetric keys, need to also handle symmetric keys >>>> >>>> >>>> -----Original Message----- >>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig >>>> Sent: Monday, July 09, 2012 11:15 AM >>>> To: OAuth WG >>>> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth >>>> >>>> Hi guys, >>>> >>>> today I submitted a short document that illustrates the concept of holder-of-the-key for OAuth. >>>> Here is the document: >>>> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk >>>> >>>> Your feedback is welcome >>>> >>>> Ciao >>>> Hannes >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> >> >
- [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills