IETF Logo Mail Archive

Re: [OAUTH-WG] Wrapping access token and codes

Bill Mills <wmills_92105@yahoo.com> Thu, 06 November 2014 18:53 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99DE1A1B53 for <oauth@ietfa.amsl.com>; Thu, 6 Nov 2014 10:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.607
X-Spam-Level:
X-Spam-Status: No, score=0.607 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYcg2zkOFsOo for <oauth@ietfa.amsl.com>; Thu, 6 Nov 2014 10:53:41 -0800 (PST)
Received: from nm38-vm4.bullet.mail.bf1.yahoo.com (nm38-vm4.bullet.mail.bf1.yahoo.com [72.30.239.20]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D71CD1A8970 for <oauth@ietf.org>; Thu, 6 Nov 2014 10:53:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1415300020; bh=YKn1cW9DzuEaARplB/8SjMoqVr/xsFTFF8TtS4pJvWw=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=BxZUyUjc5DFDVBCJM4f+hEtP/Gk3CHcFGbMp27WQtUPMDA3qbt7VmEV13vIvB2PrjgbxOoKxIOk+NwyXQXd8/JYoIqvvCzTn/QqVuwqCMfpAbEAM4JEMzZlCUw3He/R9yfhlRLlt5/kr1lD9/hhm9nmmgZQ3RyGs6gTexW1acIUQkDxWUhzpSgQRB3XkqqZgW/5J1WfWXt9T62R9t9id1lEmJ0myg8BVy7QzVyogClAKG8KxChEjJBqPOghMJAThRlRd+osNEVBwigT8bqsTN95b3oBWxuvRJOEd/OkbhABYSe4U9E50LLJHO48ED/Xq9hRlKQvk0UzDJcFDZkx9Mw==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=rFDJDKTXM9Iq6VvmE37YYBfSORJToqic4qk6XOEtFIFUVJ2aTYGs/abkEUyrbSVaqHx0qzVG8Mvsf6wk9gdF84YCg3ddLlEU8Vq3Il4Wgeb7t9K46/iUR235Sf4gct2TR5fRw3FhE121JtI3EaMB/9Jpa/iUnrHeL9QnCNTzef6H8z2wmsdV5hTme9xhuo37qbt6RkucgaeQ71OGFbdwwsMV0wgM/XptuLnpq4ysOxAlqT+pzdf0TqtoiAVjYc0dBHGc4Pjgqcr7L7/wdxInHkLxp5f7qYwp4GodkH0z7eDUXChm0oerbKM8via1C/kqFAz1wepNGyzYMZBOboZcJg==;
Received: from [66.196.81.170] by nm38.bullet.mail.bf1.yahoo.com with NNFMP; 06 Nov 2014 18:53:40 -0000
Received: from [98.139.212.202] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 Nov 2014 18:53:39 -0000
Received: from [127.0.0.1] by omp1011.mail.bf1.yahoo.com with NNFMP; 06 Nov 2014 18:53:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 973636.82066.bm@omp1011.mail.bf1.yahoo.com
X-YMail-OSG: kIN069cVM1nj6z8KoaqHs7AAslLQ_RdKWXYL36Q9LHrWFOeugbujgmAVmmaE8iW sXiyfbrkx26hf4pOaPOrWH5uZUybnlgpNu11Gogf8iFV9Qw_MgqG28kypODhxhNPPtzlbgf0UZKc SSAYOD1NbPyekZXxPnAwHw0utJHYHkkgjpnRrbyjB0yKYBL7XRT2DL_bEME5QHAqHK1f9a3lGkWz TTVTDFstijSaUy2NY5_auyIA47Q5w_GcuBwmUukjYHXVupup2hoX8O7mCjKJmkdvBXXqgPHg2I2M gIIKlOfaQ73QN15r4jOgKKTkcGRQ18mqydu2buQIYTDnJBSDt1mSgMhQ8REtz0r..Itf2fIToKj1 N57YO5MplB9269Nq5Y1oWBoEnTz50SIkSydKzEDEnXMGLe.BZC926Mt.Gf4DYWZHjEAvoSJzEq4T ZAUh3v49T8N09Eog.cjQWyIJzFCkDbE5t.h9ilqFuWwQ22AyboUB7_c0tekIJx3LiIAmXFaYTYBA-
Received: by 76.13.27.69; Thu, 06 Nov 2014 18:51:57 +0000
Date: Thu, 06 Nov 2014 18:51:51 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <486890415.168363.1415299911950.JavaMail.yahoo@jws10615.mail.bf1.yahoo.com>
In-Reply-To: <545B6582.2030505@gmail.com>
References: <545B6582.2030505@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_168362_507739505.1415299911944"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mCUC9H_8yzw3JTqvo8YqM8nt9ig
Subject: Re: [OAUTH-WG] Wrapping access token and codes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 18:53:42 -0000

So you're wanting end to end security not relying on TLS?




Have you seen the new draft on protecting codes from interception?  Currently called SPOP but needs a different name.
      On Thursday, November 6, 2014 4:12 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
   

 Hi

Does it make sense to consider supporting an access token or code 
wrapping as part of the standard OAuth2 responses ?

For example, if a client has registered its public key with AS then say 
the access token response would contain the regular

{"access_token":"1234345"}

except that "1234345" would actually be a JWE RSA-OAEP wrapped opaque 
token with a client's public key being used. Or a direct key encrypted 
token if the client and the server only share the client secret 
allocated to the client during the registration.

The net result is that only the registered confidential client would be 
able to extract the actual opaque access token. The response would 
actually be

{"access_token":"1234345", wrapped:true}.

I definitely plan to use this approach as a simple mechanism for making 
a safer distribution of mac keys as part of access token responses; but 
IMHO it can be handy for minimizing the possibility of the 
access/refresh tokens or codes being intercepted...

Sergey

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email