Re: [OAUTH-WG] expired hotk spec

Nat Sakimura <sakimura@gmail.com> Wed, 06 November 2013 19:10 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279E421E80B6 for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2013 11:10:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.329
X-Spam-Level:
X-Spam-Status: No, score=-2.329 tagged_above=-999 required=5 tests=[AWL=0.270, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzvUHxPvadJz for <oauth@ietfa.amsl.com>; Wed, 6 Nov 2013 11:10:44 -0800 (PST)
Received: from mail-lb0-x234.google.com (mail-lb0-x234.google.com [IPv6:2a00:1450:4010:c04::234]) by ietfa.amsl.com (Postfix) with ESMTP id A03FF21F9CC2 for <oauth@ietf.org>; Wed, 6 Nov 2013 11:10:43 -0800 (PST)
Received: by mail-lb0-f180.google.com with SMTP id y6so81954lbh.11 for <oauth@ietf.org>; Wed, 06 Nov 2013 11:10:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Y9MUqJy9pQfTm9uJ4A0T2w7hDge4CFxSUAhWpoGJKMI=; b=YfcgUU2iwPTRt6JBhRQNs+E2+Au+ILcprid79OXknqR8pQVTMyjr/nHHeUs5/VL0Ez uS+5w37UUCimsRpUbWhaVvT4RLvffJ4oPWqOq0CN1NLkQZU48tGIXUYk51HRIkbMsQFV 2ThosoUC7pQj3VKYcvrOLwpopimGPSu37KX2Md6Q4EceGJIdRuy6T3MCxzpseEDe+uXg mry6PWsv3w34DlkI6mNTkKB7UC2m1q20ZwZE9X3V9NE+tfFsa7YGwHVdNiZALyrAL8ih 5Bv+k+J7oZuLEEpZbja/upV10Qaf2663FGGa3GZ/zhadb8eC94a3UV+JMax/89Q9T1Hw 8pHA==
MIME-Version: 1.0
X-Received: by 10.112.51.166 with SMTP id l6mr3767254lbo.5.1383765042615; Wed, 06 Nov 2013 11:10:42 -0800 (PST)
Received: by 10.112.134.38 with HTTP; Wed, 6 Nov 2013 11:10:42 -0800 (PST)
In-Reply-To: <000F54A2-D1EC-4608-9C64-8FCD9D5E0311@oracle.com>
References: <000F54A2-D1EC-4608-9C64-8FCD9D5E0311@oracle.com>
Date: Wed, 6 Nov 2013 11:10:42 -0800
Message-ID: <CABzCy2B0SCtfXvtr3YatToeqpjrGJZ-5N2S-9X0WvwEbeH6udg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=001a113366bcd15d0804ea86e78b
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] expired hotk spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2013 19:10:45 -0000

Some comments to the draft[1] to invigorate the discussion:

[1] https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk/

*3.1.  Binding a Key to an Access Token*
=======================================

*3.1.1. Symmetric keys*
----------------------

The server is creating a symmetric key and returning it from the token
endpoint.
So, this is only doing the token endpoint - client - resource binding.

Should we not do the entire flow starting from the authorization request?

Re: Editor's note: My vote is to bake the key into the access token and
encrypt it with the resource server's public key as discussed below.

*3.1.2 Asymmetric Keys*
---------------------
The same comment as symmetric case: Should we not start from the
authorization request?

On access token: why just an example?
Should we not prescribe it completely?
Or are we just talking about the "within a same security domain" stuff?

I feel like hotk field should contain only one key.
If it expires, we can get another token.
Do we really need kid then?

*3.2.  Accessing a Protected Resource*
======================================

*3.2.1 Symmetric keys*
-----------------------
Is it assuming that the resource server can pull the key from the authz
server?
If the resource and the server is in a different security domain, you would
not want to do this.

As stated above, we should bake the key into the access token and encrypt
it with the resource server's public key.

*3.2.2 Asymmetric keys*
----------------------
Let's not require TLS Channel Binding. It is hard right now. Let's do
something simpler.

FYI, I posted http://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-01that
shows the flow starting from the authorization request to the resource
access. It has been sitting on my laptop for a long time (like Aug. last
year...) It has been very incomplete so I did not post it before but just
posted it today to facilitate the discussion.

Cheers,

Nat



2013/11/4 Phil Hunt <phil.hunt@oracle.com>
>
> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk/
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en