Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
Mike Jones <Michael.Jones@microsoft.com> Wed, 04 November 2015 22:51 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57A5A1B35A5 for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 14:51:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gq0EKfFMbzbx for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2015 14:51:24 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0121.outbound.protection.outlook.com [207.46.100.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDC991B35D2 for <oauth@ietf.org>; Wed, 4 Nov 2015 14:51:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AKo1VMYxnP5/1eU2KupR9D6i1hN/EQT8+CjMtH1B+xs=; b=Xf/63364MvGfkapJoIEfkqVkUPysrvzuPhVBQ/bBZAQPN7KQgJ45A+PKZHS9fRDhGzv7XywrP22xm9Yc1/sKkW9/ulDnKa0nTim16jfLNlj2Kgeo94EmNx6EoIwX+Julr0nOhzRnlFD03caiV8zXoUE9CbZZm/dv0GSogqhklvA=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.318.15; Wed, 4 Nov 2015 22:51:22 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0318.003; Wed, 4 Nov 2015 22:51:22 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
Thread-Index: AdEXFgZ+9CN0zPNjS1iUuZ0RolJO4QAA29mAAAA+4ZAADhjrAAAADBnA
Date: Wed, 04 Nov 2015 22:51:22 +0000
Message-ID: <BY2PR03MB44262EA4616E08287A91DB1F52A0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442F6667C49F8CF260D504DF52A0@BY2PR03MB442.namprd03.prod.outlook.com> <D2605993.2210B%kepeng.lkp@alibaba-inc.com> <BY2PR03MB4423CADD0E9897848961B99F52A0@BY2PR03MB442.namprd03.prod.outlook.com> <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com>
In-Reply-To: <CA+k3eCRW=ggajMeL1z2cvLDkou9XsLMupicH-5HyDkadj0_o_g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [115.125.248.66]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:87yypKnPiJ2v8Q+Yoq0V+wPNMyosQqMqDL91e2x8xZfb0r97+TU72nLAPF7cG+Il4DjASDpxUhWIz01NaP4awah/BaGZ9nIHpkVzIV2KhpQT635SJ2guqHMY7X5h9e7jHodgIVRWym21WKnWe65CGA==; 24:EKTVvCrV7WiTx34lNXJtIpFi7xY3GJYuWXY5BNSpK9w1yriGNVXMRCLVKDyhxezLF2VTwfWE9sj/qPo9N6l697HXBeXJ9uCwWeO8VvKiGaw=; 20:5TRblubTX+vGlt/KdgPVIrZoqH1nUlDOmYmsRaFfuTRMnRisH2Qnq7G+Wrxbua3j7LxPh58VxWD19F4aHkyWHQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <BY2PR03MB443473CAA9E54B1ECD9D94DF52A0@BY2PR03MB443.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(8121501046)(520078)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 0750463DC9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(199003)(377454003)(189002)(24454002)(51914003)(71364002)(52604005)(93886004)(102836002)(5008740100001)(19609705001)(19625215002)(87936001)(230783001)(122556002)(5004730100002)(77096005)(5007970100001)(101416001)(2900100001)(2950100001)(11100500001)(40100003)(15975445007)(66066001)(76576001)(19300405004)(19580395003)(19580405001)(74316001)(19617315012)(86362001)(33656002)(50986999)(106356001)(54356999)(76176999)(105586002)(81156007)(86612001)(97736004)(99286002)(5001960100002)(5001920100001)(5002640100001)(5005710100001)(10400500002)(10290500002)(110136002)(8990500004)(10090500001)(16236675004)(189998001)(5003600100002)(92566002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44262EA4616E08287A91DB1F52A0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2015 22:51:22.0606 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Xaz-PWvR7hN18WuSqTGIGeHVHAo>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 22:51:30 -0000
Thanks for the detailed read, Brian. You’re right that in the symmetric case, either the issuer or the presenter can create the symmetric PoP key and share it with the other party, since the effect is equivalent. I suspect that both the key distribution draft and this draft should be updated with a sentence or two saying that either approach can be taken. Do others concur? -- Mike From: Brian Campbell [mailto:bcampbell@pingidentity.com] Sent: Thursday, November 05, 2015 7:48 AM To: Mike Jones Cc: Kepeng Li; oauth@ietf.org Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment +1 for the diagrams making the document more understandable. One little nit/question, step 1 in both Symmetric and Asymmetric keys shows the Presenter sending the key to the Issuer. It's possible, however, for the key to be sent the other way. Presenter sending it to the Issuer is probably preferred for asymmetric, especially if the client can secure the private keys in hardware. But I don't know if one way or the other is clearly better for symmetric case and PoP key distribution currently has it the other way<https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>. Should the intro text somehow mention the possibility that the Issuer could create the key and send it to the Presenter? I know it's only the introduction but it was just something that jumped out at me. On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: Thanks for suggesting the diagrams, Kepeng. They make the document more understandable. -- Mike ________________________________ From: Kepeng Li<mailto:kepeng.lkp@alibaba-inc.com> Sent: 11/5/2015 12:57 AM To: Mike Jones<mailto:Michael.Jones@microsoft.com>; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment Thank you Mike. The diagrams look good to me. Kind Regards Kepeng 发件人: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> 日期: Thursday, 5 November, 2015 12:32 am 至: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>> 抄送: Li Kepeng <kepeng.lkp@alibaba-inc.com<mailto:kepeng.lkp@alibaba-inc.com>> 主题: Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment Proof-of-Possession Key Semantics for JWTs draft -06 addresses the remaining document shepherd comment – adding use case diagrams to the introduction. The updated specification is available at: · http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06 An HTML formatted version is also available at: · https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=1471 and as @selfissued<https://twitter.com/selfissued>. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Proof-of-Possession Key Semantics for … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kepeng Li
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Brian Campbell
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Hannes Tschofenig
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Justin Richer
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Justin Richer
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Anthony Nadalin
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Chuck Mortimore
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kathleen Moriarty
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Mike Jones
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Brian Campbell
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … John Bradley
- Re: [OAUTH-WG] Proof-of-Possession Key Semantics … Kathleen Moriarty