IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP, how will it be implemented in a browser?

David Waite <david@alkaline-solutions.com> Mon, 11 October 2021 18:47 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB86F3A0B80 for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 11:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdDYS87dmlTc for <oauth@ietfa.amsl.com>; Mon, 11 Oct 2021 11:47:54 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DEE83A097E for <oauth@ietf.org>; Mon, 11 Oct 2021 11:47:43 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id CAD7920653B; Mon, 11 Oct 2021 18:47:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1633978061; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8MuE3UgOg4jbRG93JcDwI7gSuEXGvRrroZ51nX0oiAQ=; b=f6FvSiqKIj9cuwg036LDz8R8UHoPX/0+LFEqAcynesAhBGNayCkoxcLy6CUHDnxcOqZW3b voq2a5/Xv36r+Ouolq67pJjANvoWP7PdamQIDQT6NzH3aLTCa3naEmW39QciEay41Uxfvs k6gUV5qiHSYN1JjFNG85BAxw3GgkLXs=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <0A9A0ADF-B334-431C-A449-6D960C922ECA@aueb.gr>
Date: Mon, 11 Oct 2021 12:47:39 -0600
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <49F4EB86-05DF-4C38-A4B8-8332ED8F31EB@alkaline-solutions.com>
References: <0A9A0ADF-B334-431C-A449-6D960C922ECA@aueb.gr>
To: Nikos Fotiou <fotiou@aueb.gr>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: +
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W-_CJx6NAM06pYVDYzekCYE36eY>
Subject: Re: [OAUTH-WG] DPoP, how will it be implemented in a browser?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2021 18:48:08 -0000

Public clients can create their own ephemeral key (say, non-exportable keys made with WebCrypto) to have bound to the access and refresh tokens at issuance time. DPoP is independent of the client authentication to the AS.

-DW

> On Oct 11, 2021, at 11:40 AM, Nikos Fotiou <fotiou@aueb.gr> wrote:
> 
> Hi,
> How do you believe DPoP will be implemented in a browser? In particular, how the browser will retrieve client's private key and generate the appropriate signature? Do you imagine interoperability with a specification such as WenAuthN? Something else (e.g., DPoP-enabled "wallets")? 
> 
> Best,
> Nikos
> --
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
> Researcher - Mobile Multimedia Laboratory
> Athens University of Economics and Business
> https://mm.aueb.gr
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.39.1 | Report a Bug | By Email | System Status