Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 17 November 2019 10:14 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA41E1200B1 for <oauth@ietfa.amsl.com>; Sun, 17 Nov 2019 02:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pW6-95835wM6 for <oauth@ietfa.amsl.com>; Sun, 17 Nov 2019 02:14:26 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3AB412007A for <oauth@ietf.org>; Sun, 17 Nov 2019 02:14:25 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id 8so15540850wmo.0 for <oauth@ietf.org>; Sun, 17 Nov 2019 02:14:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=skAt3Lc5aQd0ppzRcCn5nIkWU9IUqQvMJNMz/jJlh/0=; b=CULYavdot2H2vS+KY4d5mTMVzLw0H0PMYk1JQlO3sqkzLzFN61jJWwtMHwEDCa5Ub/ QKQnivlf7HBZb1x/XzjZjPuMslDy9toRRoF7K4lYCl+Xbda7bjqRIDf++jKwR5ai4kdZ HASwAfbVCWPYHTP48jl1zwg0l2QL2pN4niVACFRRVWKGSSAXF+Ab65E280IMwlz+RbnY vahyeebYUrJmFINVWYs27dxPuZojYBFh0I+BND3NCdXSdsfM7IgAJctLjqN37u/zOWsW 4fnwcUoFx+DPYWOBcchcFiomCoCE0K4c6tVbAO4ycd9Pca3U2gpRKZmdOWK8+vrQIXNj 2bDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=skAt3Lc5aQd0ppzRcCn5nIkWU9IUqQvMJNMz/jJlh/0=; b=qs3cJnlrsYuYtVhSVT9EtXWsvavZVRbyD/Fytn/VBgi5EDdAJ6VJuRei/BZK3TRiFq 0dMTb1421MWzRIFiuLl372/ZbAtKWAWWs9zZy+J9G63f6L/icdTgkhz/DUp51SIgREpX pR+cEWHCtHSlkb8akm8RHP1pIAeSL/XApqXd7KJ2lGM8slYcBwmQKB05jf2yC/RS9Sj8 HCwUGY0EuX5sdzwTfXEh0lscNA1neNVOApsVdytG7713Z4PerFZ/Mk+BkOp71abk6bHE /T7YKViZNPrGBLhOMdr/zGKs/gygbQRAV2laL0DzeYq0XNxBSIyhB63T7NA3CAzE81je 7nZA==
X-Gm-Message-State: APjAAAWFvUvizWMhhqVXp6t2pUDf0DHgFcMEegaGS4lCpI1KZZqwC+Ir Oi7j2r/sCjyJO9djtOUQhCpJaQ8LJAc1TW1L
X-Google-Smtp-Source: APXvYqzNUHYELG7LRc4lEhmlW7ZebJQh5DXnOHUtIbZNid46kpqb32xBmJAjyAPzebl4vlFKYXfx0A==
X-Received: by 2002:a1c:1f14:: with SMTP id f20mr21924554wmf.147.1573985664181; Sun, 17 Nov 2019 02:14:24 -0800 (PST)
Received: from [10.156.39.180] (tmo-111-83.customers.d1-online.com. [80.187.111.83]) by smtp.gmail.com with ESMTPSA id i14sm5403066wrn.31.2019.11.17.02.14.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 17 Nov 2019 02:14:23 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-A6456253-FFCB-4934-AC4F-F4727D59F1A8"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Sun, 17 Nov 2019 18:14:20 +0800
Message-Id: <5FCA868A-4E8C-45DF-BD64-31EAF28D4476@lodderstedt.net>
References: <E54A3C8B-4558-4585-85FA-CDB99F27C6CA@alkaline-solutions.com>
Cc: Paul Querna <pquerna@apache.org>, oauth <oauth@ietf.org>
In-Reply-To: <E54A3C8B-4558-4585-85FA-CDB99F27C6CA@alkaline-solutions.com>
To: David Waite <david@alkaline-solutions.com>
X-Mailer: iPhone Mail (17A878)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/j35KydA4_4Gxr-Gvy9C7ED6MicM>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2019 10:14:28 -0000


> Am 17.11.2019 um 04:06 schrieb David Waite <david@alkaline-solutions.com>:
> 
> You’ll be audience-scoping either way, so it may make sense to use a symmetric algorithm for both. It starts to look like kerberos in HTTP and JSON when you squint.

Even if audience restriction is a recommended practice, I‘m not fully sure this is a broadly established practice.

As you pointed out, symmetrical keys require RS-specific access tokens, i.e. the client needs to tell the AS what RS it is going to use the token at. Using resource indicators or rar?

This reminds me the simplicity of the approach based on asymmetric crypto re programming model and key management.