[OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession
Justin Richer <jricher@MIT.EDU> Tue, 24 March 2015 23:31 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD94A1A00E7 for <oauth@ietfa.amsl.com>; Tue, 24 Mar 2015 16:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uS8GYQbwU23Q for <oauth@ietfa.amsl.com>; Tue, 24 Mar 2015 16:31:16 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 159F01A00CD for <oauth@ietf.org>; Tue, 24 Mar 2015 16:31:15 -0700 (PDT)
X-AuditID: 12074424-f79f56d000000da5-c3-5511f3c2ffa3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 24.DB.03493.2C3F1155; Tue, 24 Mar 2015 19:31:14 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t2ONVEWD029481 for <oauth@ietf.org>; Tue, 24 Mar 2015 19:31:14 -0400
Received: from dhcp-b0dd.meeting.ietf.org (dhcp-b0dd.meeting.ietf.org [31.133.176.221]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2ONVCfv005685 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Tue, 24 Mar 2015 19:31:13 -0400
From: Justin Richer <jricher@MIT.EDU>
X-Pgp-Agent: GPGMail 2.5b6
Content-Type: multipart/signed; boundary="Apple-Mail=_80DD75DD-E305-4961-AD28-73D6EF0EFE78"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Date: Tue, 24 Mar 2015 18:31:11 -0500
Message-Id: <6DA5408F-2E11-45AE-A190-1724958D7960@mit.edu>
To: "<oauth@ietf.org>" <oauth@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixG6nonvos2CowdznhhYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxofZq9kKLgtXPPi3mrGB8b5AFyMnh4SAicTErsOMELaYxIV7 69m6GLk4hAQWM0nMmfmABcI5xijxaMIWZgjnJZPEz1PrWUBa2ARUJeavvMUE0S4l0fT6GCNI EbPAFEaJxvnz2LsYOTiEBZwlzp4TBKlhAaq/u7uVGcTmFbCSaHvzF6xXREBdYs35n0wQcQOJ uae+MIG0SgjIS/RsSp/AyDcL2dRZSMpAbGYBbYllC18zQ9iaEvu7l7NA2PIS29/OgYpbSiye eQMqbitxq28BVK+dxKNpi1gXMHKsYpRNya3SzU3MzClOTdYtTk7My0st0jXXy80s0UtNKd3E CA5vF5UdjM2HlA4xCnAwKvHwBiwRCBViTSwrrsw9xCjJwaQkynv2g2CoEF9SfkplRmJxRnxR aU5q8SFGFaBdjzasvsAoxZKXn5eqJMK77S1QHW9KYmVValE+TJk0B4uSOO+mH3whQgLpiSWp 2ampBalFMFkZDg4lCd5Tn4AaBYtS01Mr0jJzShDSTBychxglOHiAht8CqeEtLkjMLc5Mh8if YlSUEue9AZIQAElklObB9cLS0itGcaC3hHmPfQSq4gGmNLjuV0CDmYAGn8vnAxlckoiQkmpg ZNxyaeeBW04a37VviTDmL1x1SWWyfBwr28uL8+eve+3AX1sn+i8kZH7kbSXF3cb3L9/c3Jsx v3f9qr29+trxLgxmq3qdOh/Wy0tev8TSIr7Lzm7ixAsJb5vKzvlcLAgL23CxPnLfjz/J06TM plfPXqlxfpJFqcqXmysfXlkQtKFx536vlv/RL5VYijMSDbWYi4oTAT4AVRgmAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/SGvaoGOF0_PsEoUNMm7iUKfOCjg>
Subject: [OAUTH-WG] Last Call comments on draft-ietf-oauth-proof-of-possession
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2015 23:31:18 -0000
I believe that this draft is misnamed and therefore somewhat misleading: it’s fundamentally a method of protected key transmission using JWT, and not about proof of possession of that key. The proof is in simply using the key to create a JWT within an application (such as will be in draft-ietf-oauth-signed-http-request). Proof of possession of a key does not require the transmission of the key or a direct reference through the client via a data structure, and I don’t want to accidentally give the impression that one needs to use a structured token for proof of possession to work. For instance, in an alternative approach, the AS can issue a random-blob token to the client along side the key value (as it’s done in this draft), and the client presents the random-blob token to the RS. The RS then looks up the information about the random-blob, using a local lookup or introspection or some other magic, to get the information that it needs. The client doesn’t need to know anything about it, as the token itself is opaque to the client. That said, overall the structure and function of the draft is good for what it actually is. The client remains agnostic about what’s inside the token itself, as in regular OAuth. It gives semantic processing for an RS to process messages (of various types) signed by keys issued alongside these structured tokens. I think this problem could be fixed by renaming the draft and rewriting the introduction. — Justin
- [OAUTH-WG] Last Call comments on draft-ietf-oauth… Justin Richer
- Re: [OAUTH-WG] Last Call comments on draft-ietf-o… Nat Sakimura
- Re: [OAUTH-WG] Last Call comments on draft-ietf-o… Mike Jones
- Re: [OAUTH-WG] Last Call comments on draft-ietf-o… Mike Jones