Re: [OAUTH-WG] Wrapping access token and codes
Bill Mills <wmills_92105@yahoo.com> Thu, 06 November 2014 18:53 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99DE1A1B53 for <oauth@ietfa.amsl.com>; Thu, 6 Nov 2014 10:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.607
X-Spam-Level:
X-Spam-Status: No, score=0.607 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYcg2zkOFsOo for <oauth@ietfa.amsl.com>; Thu, 6 Nov 2014 10:53:41 -0800 (PST)
Received: from nm38-vm4.bullet.mail.bf1.yahoo.com (nm38-vm4.bullet.mail.bf1.yahoo.com [72.30.239.20]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D71CD1A8970 for <oauth@ietf.org>; Thu, 6 Nov 2014 10:53:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1415300020; bh=YKn1cW9DzuEaARplB/8SjMoqVr/xsFTFF8TtS4pJvWw=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=BxZUyUjc5DFDVBCJM4f+hEtP/Gk3CHcFGbMp27WQtUPMDA3qbt7VmEV13vIvB2PrjgbxOoKxIOk+NwyXQXd8/JYoIqvvCzTn/QqVuwqCMfpAbEAM4JEMzZlCUw3He/R9yfhlRLlt5/kr1lD9/hhm9nmmgZQ3RyGs6gTexW1acIUQkDxWUhzpSgQRB3XkqqZgW/5J1WfWXt9T62R9t9id1lEmJ0myg8BVy7QzVyogClAKG8KxChEjJBqPOghMJAThRlRd+osNEVBwigT8bqsTN95b3oBWxuvRJOEd/OkbhABYSe4U9E50LLJHO48ED/Xq9hRlKQvk0UzDJcFDZkx9Mw==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=rFDJDKTXM9Iq6VvmE37YYBfSORJToqic4qk6XOEtFIFUVJ2aTYGs/abkEUyrbSVaqHx0qzVG8Mvsf6wk9gdF84YCg3ddLlEU8Vq3Il4Wgeb7t9K46/iUR235Sf4gct2TR5fRw3FhE121JtI3EaMB/9Jpa/iUnrHeL9QnCNTzef6H8z2wmsdV5hTme9xhuo37qbt6RkucgaeQ71OGFbdwwsMV0wgM/XptuLnpq4ysOxAlqT+pzdf0TqtoiAVjYc0dBHGc4Pjgqcr7L7/wdxInHkLxp5f7qYwp4GodkH0z7eDUXChm0oerbKM8via1C/kqFAz1wepNGyzYMZBOboZcJg==;
Received: from [66.196.81.170] by nm38.bullet.mail.bf1.yahoo.com with NNFMP; 06 Nov 2014 18:53:40 -0000
Received: from [98.139.212.202] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 Nov 2014 18:53:39 -0000
Received: from [127.0.0.1] by omp1011.mail.bf1.yahoo.com with NNFMP; 06 Nov 2014 18:53:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 973636.82066.bm@omp1011.mail.bf1.yahoo.com
X-YMail-OSG: kIN069cVM1nj6z8KoaqHs7AAslLQ_RdKWXYL36Q9LHrWFOeugbujgmAVmmaE8iW sXiyfbrkx26hf4pOaPOrWH5uZUybnlgpNu11Gogf8iFV9Qw_MgqG28kypODhxhNPPtzlbgf0UZKc SSAYOD1NbPyekZXxPnAwHw0utJHYHkkgjpnRrbyjB0yKYBL7XRT2DL_bEME5QHAqHK1f9a3lGkWz TTVTDFstijSaUy2NY5_auyIA47Q5w_GcuBwmUukjYHXVupup2hoX8O7mCjKJmkdvBXXqgPHg2I2M gIIKlOfaQ73QN15r4jOgKKTkcGRQ18mqydu2buQIYTDnJBSDt1mSgMhQ8REtz0r..Itf2fIToKj1 N57YO5MplB9269Nq5Y1oWBoEnTz50SIkSydKzEDEnXMGLe.BZC926Mt.Gf4DYWZHjEAvoSJzEq4T ZAUh3v49T8N09Eog.cjQWyIJzFCkDbE5t.h9ilqFuWwQ22AyboUB7_c0tekIJx3LiIAmXFaYTYBA-
Received: by 76.13.27.69; Thu, 06 Nov 2014 18:51:57 +0000
Date: Thu, 06 Nov 2014 18:51:51 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Message-ID: <486890415.168363.1415299911950.JavaMail.yahoo@jws10615.mail.bf1.yahoo.com>
In-Reply-To: <545B6582.2030505@gmail.com>
References: <545B6582.2030505@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_168362_507739505.1415299911944"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/mCUC9H_8yzw3JTqvo8YqM8nt9ig
Subject: Re: [OAUTH-WG] Wrapping access token and codes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Nov 2014 18:53:42 -0000
So you're wanting end to end security not relying on TLS? Have you seen the new draft on protecting codes from interception? Currently called SPOP but needs a different name. On Thursday, November 6, 2014 4:12 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: Hi Does it make sense to consider supporting an access token or code wrapping as part of the standard OAuth2 responses ? For example, if a client has registered its public key with AS then say the access token response would contain the regular {"access_token":"1234345"} except that "1234345" would actually be a JWE RSA-OAEP wrapped opaque token with a client's public key being used. Or a direct key encrypted token if the client and the server only share the client secret allocated to the client during the registration. The net result is that only the registered confidential client would be able to extract the actual opaque access token. The response would actually be {"access_token":"1234345", wrapped:true}. I definitely plan to use this approach as a simple mechanism for making a safer distribution of mac keys as part of access token responses; but IMHO it can be handy for minimizing the possibility of the access/refresh tokens or codes being intercepted... Sergey _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] status of bearer token redelegation dr… Bas Zoetekouw
- Re: [OAUTH-WG] status of bearer token redelegatio… Phil Hunt
- Re: [OAUTH-WG] status of bearer token redelegatio… Richer, Justin P.
- Re: [OAUTH-WG] status of bearer token redelegatio… Bill Mills
- Re: [OAUTH-WG] status of bearer token redelegatio… Phil Hunt
- [OAUTH-WG] Code and token response thumbprints ? Sergey Beryozkin
- [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Bill Mills
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes John Bradley
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes John Bradley
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin