Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

Thomas Hardjono <hardjono@MIT.EDU> Fri, 04 April 2014 15:38 UTC

Return-Path: <hardjono@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51041A0235 for <oauth@ietfa.amsl.com>; Fri, 4 Apr 2014 08:38:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kCYfCYiqyR6e for <oauth@ietfa.amsl.com>; Fri, 4 Apr 2014 08:38:23 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 788BC1A0232 for <oauth@ietf.org>; Fri, 4 Apr 2014 08:38:23 -0700 (PDT)
X-AuditID: 1209190e-f79ee6d000000c40-26-533ed1eafac4
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 12.4A.03136.AE1DE335; Fri, 4 Apr 2014 11:38:18 -0400 (EDT)
Received: from outgoing-exchange-3.mit.edu (outgoing-exchange-3.mit.edu [18.9.28.13]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s34FcHqN015504; Fri, 4 Apr 2014 11:38:18 -0400
Received: from OC11EXEDGE3.EXCHANGE.MIT.EDU (oc11exedge3.exchange.mit.edu [18.9.3.21]) by outgoing-exchange-3.mit.edu (8.13.8/8.12.4) with ESMTP id s34FcH6D024540; Fri, 4 Apr 2014 11:38:17 -0400
Received: from W92EXHUB13.exchange.mit.edu (18.7.73.24) by OC11EXEDGE3.EXCHANGE.MIT.EDU (18.9.3.21) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 4 Apr 2014 11:38:09 -0400
Received: from OC11EXPO24.exchange.mit.edu ([169.254.1.193]) by W92EXHUB13.exchange.mit.edu ([18.7.73.24]) with mapi id 14.03.0158.001; Fri, 4 Apr 2014 11:38:16 -0400
From: Thomas Hardjono <hardjono@MIT.EDU>
To: Bill Mills <wmills@yahoo-inc.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
Thread-Index: AQHPUBowsLOurSBGTkGypziV6taZwZsBlZ9B
Date: Fri, 4 Apr 2014 15:38:15 +0000
Message-ID: <5E393DF26B791A428E5F003BB6C5342A55BF436B@OC11EXPO24.exchange.mit.edu>
References: <20140403083747.31162.58961.idtracker@ietfa.amsl.com>, <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com>
In-Reply-To: <1396541184.357.YahooMailNeo@web125601.mail.ne1.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [18.189.27.130]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJKsWRmVeSWpSXmKPExsUixCmqrPvqol2wwZ49BhYn375is3jfX+3A 5LFkyU8mjzurfjEGMEVx2aSk5mSWpRbp2yVwZdy49Z694Ixoxbr7l1gaGPcIdjFyckgImEh8 /rCEHcIWk7hwbz1bFyMXh5DAbCaJz7NPMkM4+xkl1j7aDZU5xijRsPcSE4SzjVHiSu8mqMwq RomJ1x+ygAxjE9CQOPd7L9hgEQEHiWXr97KB2MIC8RKLG3YzQsQTJH7MX8gEYRtJPJu/GKye RUBF4snTF0C7OTh4BYIkJjaJgYSFBGokfuy6A1bCKeAu0dg5lRXEZgS6+/upNWBjmAXEJW49 mc8E8Y+gxKLZe5hhfvu36yEbhK0o8eLiQmaIeh2JBbs/sUHY2hLLFr4Gi/MC9Z6c+YRlAqPE LCRjZyFpmYWkZRaSlgWMLKsYZVNyq3RzEzNzilOTdYuTE/PyUot0jfVyM0v0UlNKNzGCY1CS bwfj14NKhxgFOBiVeHg7dtgFC7EmlhVX5h5ilORgUhLlvboKKMSXlJ9SmZFYnBFfVJqTWnyI UYKDWUmEt24CUI43JbGyKrUoHyYlzcGiJM771toqWEggPbEkNTs1tSC1CCYrw8GhJMFrBkw1 QoJFqempFWmZOSUIaSYOTpDhPEDDfUBqeIsLEnOLM9Mh8qcYFaXEeT9fAEoIgCQySvPgemEp 8hWjONArwrwqIO08wPQK1/0KaDAT0OCGMLDBJYkIKakGxhgbWcMlL4NYN35gT/nA82vVjfeN mkxqLe5qT6s3zVn0UNGzaPVum91fVedt3xb52bj6Vz2fbUCsgHTCvMJv0RMazfk37Pnjziws Z5y46/uV0wwCD1kW1hvf8FbY/oupVidvVvKRsK/Ch1OvXfPekHrt6Z6TF2UbfgobC7S8jwrq z1pr11V4W4mlOCPRUIu5qDgRAAiod0lsAwAA
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Wf_S_DYGCUEhoYjlo3UEJsIktDw
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 15:38:28 -0000

Bill,

The PoP terminology in ancient IETF terminology coming from the IPsec WG (also home of IKE and IKEv2 protocols), 
and perhaps even before the IPsec WG.  So its a well-known term in the Security Area. I'd suggest we keep it.

Folks that work in the Mail & routing area use the term POP3 or RFC1939 in their context.

People in OASIS security-related Technical Committees use HOK (holder of key), such as the HOK Web Browser profile:

https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile


/thomas/


________________________________________
From: OAuth [oauth-bounces@ietf.org] on behalf of Bill Mills [wmills@yahoo-inc.com]
Sent: Thursday, April 03, 2014 12:06 PM
To: Phil Hunt; Prateek Mishra; Hannes Tschofenig; Justin Richer; OAuth WG
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?

-bill


--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!

On Thursday, April 3, 2014 1:38 AM, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:

A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        draft-hunt-oauth-pop-architecture
Revision:    00
Title:        OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual Submission
Pages:        21
URL:            http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt
Status:        https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/
Htmlized:      http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00


Abstract:
  The OAuth 2.0 bearer token specification, as defined in RFC 6750,
  allows any party in possession of a bearer token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent misuse, bearer tokens must to be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a client
  needs to demonstrate possession of cryptographic keying material when
  accessing a protected resource.  This document motivates the
  development of the OAuth 2.0 proof-of-possession security mechanism.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat