IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary

John Bradley <ve7jtb@ve7jtb.com> Fri, 13 July 2012 12:12 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 810F021F8720 for <oauth@ietfa.amsl.com>; Fri, 13 Jul 2012 05:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.549
X-Spam-Level:
X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ia3tIyh9x8+q for <oauth@ietfa.amsl.com>; Fri, 13 Jul 2012 05:12:37 -0700 (PDT)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA4A21F86C6 for <oauth@ietf.org>; Fri, 13 Jul 2012 05:12:37 -0700 (PDT)
Received: by qcac10 with SMTP id c10so2304894qca.31 for <oauth@ietf.org>; Fri, 13 Jul 2012 05:13:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=y76rMYUYmMI+8fZtryMkkdDq6V9Xcao3M5toLQdNUUE=; b=PnVd76GCoE66uwtcEGj35X5JiPB6+nFRkGUdd5/FqpH9q7aOU4DLzgnOzjvmIqb2IU KipdrPJhtjuu5i/cgM+ev+lgtx1kEPGTOsEbhqgV/sSx17+jZTmnvsd2cN6WNcfjNRo2 ngWFqoALYT32aH9uRwH6zyM2BSxMc3pFBFEZ84AX0f/Yph6rF8OOt3l3i/ena9jh1bgd I7qyqIX1qPweHWwoU6K11OqdjymFEHsoyHqk0rCbLlK+fZSlJm4YpeQEi51W0V+y8kXh Ce4/DowldKMWgC8NbpbmN8gz5gw2k3O4bMtXHTGdF4/kNjHz1ejZRAU0YBgSiW4o7nxc fP0w==
Received: by 10.224.78.69 with SMTP id j5mr2292429qak.37.1342181592971; Fri, 13 Jul 2012 05:13:12 -0700 (PDT)
Received: from [192.168.4.149] (ip-64-134-65-40.public.wayport.net. [64.134.65.40]) by mx.google.com with ESMTPS id bh13sm10901683qab.21.2012.07.13.05.13.11 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 13 Jul 2012 05:13:12 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114F7AB4406@WSMSG3153V.srv.dir.telstra.com>
Date: Fri, 13 Jul 2012 08:13:07 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <6A196EDE-3AF5-4B17-8F8D-2DA8FD9036AC@ve7jtb.com>
References: <213AE838-274D-4809-B841-CCCC51C7B3CD@gmx.net> <255B9BB34FB7D647A506DC292726F6E114F7AB4406@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQl/mfscR5SReOYiGCR6k+r1QlxJWNLEkVf3XUI/gdXmYtdPIVaNwMdhQKaGAnmOfMu23Exm
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-tls-oob-pubkey: My summary
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 12:12:38 -0000

It sucks for TLS hinting:)

In principal the client needs to know what keypair to use for the TLS session before it is initiated.

The protected resource establishes the session with client auth accepting any client key.

The protected resource compares the client key passed in from TLS with the one in the token as part of token validation, and accepts or rejects the token.

It is different from "normal" TLS client auth in that it is not the TLS layer making the access decision.

John B.
On 2012-07-12, at 11:40 AM, Manger, James H wrote:

>> III) Hybrid Scenario (the OAuth Holder-of-the-Key Use case)
>> 
>> client_hello,
>> cert-receive=(X.509, Raw) // (1)
>> cert-send=(Raw)             -> // (2)
>> 
>>                         <-  server_hello,
>>                             cert-info=(X.509),// (3)
>>                             certificate, // (4)
>>                             certificate_request, // (5)
>>                             cert-receive=(Raw) // (6)
>>                             server_key_exchange,
>>                             server_hello_done
>> 
>> cert-info=(Raw), // (7)
>> certificate, // (8)
>> client_key_exchange,
>> change_cipher_spec,
>> finished                  ->
>> 
>>                         <- change_cipher_spec,
>>                            finished
>> 
>> Application Data        <------->     Application Data
>> 
>> Legend:
>> 
>> (1) Client accepts to receive X.509 certs and raw public keys, in this
>> order of preference. (Could also be X.509 only in this example)
>> (2) The client does have a raw public key for client authentication.
>> (3) The server decides to sends his X.509 cert and indicates this in
>> the cert-info field.
>> (4) The certificate payload contains the X.509 cert.
>> (5) The server wants to use client authentication and sends a cert-
>> request.
>> (6) The certificate request asks for a certificate of type 'raw'
>> (knowing that the client supports it from (2)).
>> (7) The client indicates that the certificate payload contains a raw
>> public key.
>> (8) Here is the payload of the certificate itself.
> 
> 
> So the OAuth client completes a TLS handshake with a protected resource using a raw key, but the protected resource doesn't get any authorization for that raw key until it sees an access_token which appear where? In an HTTP header somewhere in the App Data some time after the TLS handshake finishes?
> 
> --
> James Manger
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email