Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Phil Hunt <phil.hunt@oracle.com> Tue, 10 July 2012 16:56 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F6521F8650 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.326
X-Spam-Level:
X-Spam-Status: No, score=-10.326 tagged_above=-999 required=5 tests=[AWL=0.273, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yO9WDuqyf1Yy for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 09:56:20 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id F123621F8634 for <oauth@ietf.org>; Tue, 10 Jul 2012 09:56:19 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q6AGuiaB015611 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 10 Jul 2012 16:56:45 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q6AGuhXs006570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Jul 2012 16:56:44 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q6AGuh7x005146; Tue, 10 Jul 2012 11:56:43 -0500
Received: from [192.168.1.8] (/24.85.226.208) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 10 Jul 2012 09:56:43 -0700
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <C433DCE1-3015-4442-9DD0-A5228415D6C0@ve7jtb.com>
Date: Tue, 10 Jul 2012 09:56:44 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <B115176F-8C04-4085-8D9D-EB4401042B60@oracle.com>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <B26C1EF377CB694EAB6BDDC8E624B6E74F979CF1@BL2PRD0310MB362.namprd03.prod.outlook.com> <22194120-0613-48A7-9825-FD3BAD76062A@gmx.net> <C433DCE1-3015-4442-9DD0-A5228415D6C0@ve7jtb.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1278)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 16:56:26 -0000
Hannes, Thanks for your proposal. I'm glad to see work on this starting. I think use cases may demand more than just channel security. A lot of cases do not have end-to-end TLS channels available. So while this could be stated to be an improvement it may not achieve the end-to-end authentication of clients being looked for. One aspect of the MAC draft that I did like was that it involved a changing authorization value which essentially gave a message centric security model. Would it be appropriate to start a discussion on the use cases the WG would like to address? Phil @independentid www.independentid.com phil.hunt@oracle.com On 2012-07-10, at 3:33 AM, John Bradley wrote: > I agree that there are use-cases for all of the proof of possession mechanisms. > > Presentment methods also need to be considered. > > TLS client auth may not always be the best option. Sometimes message signing is more appropriate. > > One question is if we want to do a generic proof of possession for JWT that is useful outside OAuth, or something OAuth specific. The answer may be a combined approach. > > I think this is a good start to get discussion going. > > John B. > On 2012-07-09, at 3:05 PM, Hannes Tschofenig wrote: > >> Hi Tony, >> >> I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. >> >> Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. >> >> Ciao >> Hannes >> >> On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: >> >>> Hannes, thanks for drafting this, couple of comments: >>> >>> 1. HOK is one of Proof of Possession methods, should we consider others? >>> 2. This seems just to handle asymmetric keys, need to also handle symmetric keys >>> >>> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig >>> Sent: Monday, July 09, 2012 11:15 AM >>> To: OAuth WG >>> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth >>> >>> Hi guys, >>> >>> today I submitted a short document that illustrates the concept of holder-of-the-key for OAuth. >>> Here is the document: >>> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk >>> >>> Your feedback is welcome >>> >>> Ciao >>> Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Anthony Nadalin
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Phil Hunt
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Manger, James H
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hannes Tschofenig
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth John Bradley
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth prateek mishra
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills
- Re: [OAUTH-WG] Holder-of-the-Key for OAuth William Mills