IETF Logo Mail Archive

Re: [OAUTH-WG] Holder-of-the-Key for OAuth

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 11 July 2012 10:13 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8183421F85F9 for <oauth@ietfa.amsl.com>; Wed, 11 Jul 2012 03:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.368
X-Spam-Level:
X-Spam-Status: No, score=-102.368 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvrram8S7-pw for <oauth@ietfa.amsl.com>; Wed, 11 Jul 2012 03:13:24 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 1874C21F8504 for <oauth@ietf.org>; Wed, 11 Jul 2012 03:13:22 -0700 (PDT)
Received: (qmail invoked by alias); 11 Jul 2012 10:13:52 -0000
Received: from unknown (EHLO [10.255.128.232]) [194.251.119.201] by mail.gmx.net (mp001) with SMTP; 11 Jul 2012 12:13:52 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+fD+cQP4ufN6ilvBXNW2l3ymzH1x/Am4ywgwzLWe uOycXy5nC/Pifi
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E74F97AECB@BL2PRD0310MB362.namprd03.prod.outlook.com>
Date: Wed, 11 Jul 2012 13:13:49 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <14F8323B-DE1A-4B0E-8114-BD5B359D5D91@gmx.net>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F979CF1@BL2PRD0310MB362.namprd03.prod.outlook.com> <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F97AECB@BL2PRD0310MB362.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 10:13:25 -0000

Hi Tony, 

On Jul 10, 2012, at 12:17 AM, Anthony Nadalin wrote:

>> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits.
> 
> We have use cases for asymmetric, symmetric and for nonce (entropy),

I tried to describe the difference between the various approaches in this document: 
http://www.potaroo.net/ietf/all-ids/draft-tschofenig-oauth-signature-thoughts-00.txt

There is a small performance improvement when using symmetric key techniques compared to short-lived asymmetric keys but asymmetric keys provide security benefits (since the resource server nor the authorization server ever get to see the private key). 

Do you really need both? 

And: Could you explain the nonce-based technique? 


> and thus would have to distinguish between these types requested and returned.

Certainly true. 

I currently use the pk-info parameter to allow the client to hint support for this extension in the request, and the "token_type":"hotk" in the response as a confirmation that the server-side understands it and had included the public key into the access token. 

Ciao
Hannes

> 
> -----Original Message-----
> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] 
> Sent: Monday, July 09, 2012 12:05 PM
> To: Anthony Nadalin
> Cc: Hannes Tschofenig; OAuth WG
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
> 
> Hi Tony, 
> 
> I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. 
> 
> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. 
> 
> Ciao
> Hannes
> 
> On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote:
> 
>> Hannes, thanks for drafting this, couple of comments:
>> 
>> 1. HOK is one of Proof of Possession methods, should we consider others?
>> 2. This seems just to handle asymmetric keys, need to also handle symmetric keys
>> 
>> 
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
>> Sent: Monday, July 09, 2012 11:15 AM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth
>> 
>> Hi guys, 
>> 
>> today I submitted a short document that illustrates the concept of holder-of-the-key for OAuth. 
>> Here is the document: 
>> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk
>> 
>> Your feedback is welcome 
>> 
>> Ciao
>> Hannes
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email