Re: [OAUTH-WG] Potential uses of PoP keys in CBOR Web Tokens (CWTs)
Nat Sakimura <sakimura@gmail.com> Wed, 21 June 2017 19:55 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B08B1241FC for <oauth@ietfa.amsl.com>; Wed, 21 Jun 2017 12:55:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FD82Skk1nfkV for <oauth@ietfa.amsl.com>; Wed, 21 Jun 2017 12:55:02 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06F1E126C89 for <oauth@ietf.org>; Wed, 21 Jun 2017 12:55:02 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id u12so165978881qth.0 for <oauth@ietf.org>; Wed, 21 Jun 2017 12:55:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KyyE+uYOWMFwsjOIvdFNG5YRQ+FUaTM39wX//doP+i8=; b=ajmbtteuATRj/c2huay6bGKEADfkCNXuAcmGfMpLVOih7wAVb3ub7/J/ln8R0NHPN5 DC5ntzSunb9HseeTzBCCtXSdBXwCvwO+U+MLL6HQKzt1jdf6+4CrhJdbm6tpojH5KQB/ E/GMxc+hXD50xo43eyZP5jFXOFoucdl0foBlDxGYZa5Yx3/LU6gNs88BkOJKKQ0ifz5L 8Sp7zSblNC3++SUm5Vjkxw5Ng+RQnhcS4HK3OQrKh9ktZ4Fx7YIokW54gdeVm3fc4FC6 N3148BZHZTTezGk8IK20DSRUBEHhnZADcQjGO05ZnRQkF6gFQqFZBZxMi4iTcPMloR6B t9yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KyyE+uYOWMFwsjOIvdFNG5YRQ+FUaTM39wX//doP+i8=; b=LbKuXOBEjxI87e++GwxH9dYrSWEjkJI5yBpR1EEJ/qWXBzGlpwKoHVvDNDMpvZiX3v bHHS/X73Q44oqQFCR1WqHQAUH33f8USbhen8C9xF0i14nC+RQbiGq+nEQ5UAJV3zHbiL n/NjQOSFnvMmjH/+gKLZHxMd9+mpuiT2cs+2Cz/X03KTtvd5SWkOJUXkXwBrkXyH8efB lQJS7bm8o14dq4m8KJ0r9jxQaf3O4ngy+6aCXg2b9Xs1lL69KTQlkzOhi28ytCngSMXc FbgZJMrK1H8WP+gB3U6uaW4ESrVjNSN3WYexuVyfnFsEuwZlibXzChg1DqOaCJ6esxBO EpwQ==
X-Gm-Message-State: AKS2vOw3bmzBMSFGaui8vmC8tkFq/Mnrc75iIH7wOCszC7aWXOjDRPJo geghljJYGz64pe+88YrwdLFhJAYECQ==
X-Received: by 10.200.34.55 with SMTP id o52mr43283759qto.67.1498074901203; Wed, 21 Jun 2017 12:55:01 -0700 (PDT)
MIME-Version: 1.0
References: <ad0a0942-a30a-3733-c294-447d9b767986@gmx.net>
In-Reply-To: <ad0a0942-a30a-3733-c294-447d9b767986@gmx.net>
From: Nat Sakimura <sakimura@gmail.com>
Date: Wed, 21 Jun 2017 19:54:49 +0000
Message-ID: <CABzCy2BS-pFB+ha9Hi8X=J_v1fRaAxvWtK=7OpVii404mbuEyw@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/alternative; boundary="001a114108de554eef05527dbe9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/on9H9herHUq13n454rb7aJaYEWA>
Subject: Re: [OAUTH-WG] Potential uses of PoP keys in CBOR Web Tokens (CWTs)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2017 19:55:04 -0000
So, I have finally started to put the tip of my foot into IoT world and so I have no actual product or service, but PoP keys for CWT should be useful for severely constrained devices. We have seen so many instances of token interception and replay in IoT sphere. PoP keys in CBOR should help mitigate it. Nat On Tue, Jun 13, 2017 at 3:19 AM Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi all, > > RFC 7800 defines how to communicate Proof of Possession (PoP) keys for > JSON Web Tokens (JWTs) [RFC 7519]. The CBOR Web Token (CWT) > draft-ietf-ace-cbor-web-token spec defines the CBOR/COSE equivalent of > the JSON/JOSE JWT spec. > > The ACE working group is planning to also define a CBOR/COSE equivalent > of RFC 7800 and is interested in knowing how you might use CBOR > proof-of-possession keys for CWTs. > > Please drop us a message if you are using CBOR PoP keys for CWTs. We > would like to learn more about your usage. > > Ciao > Hannes & Kepeng > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
- [OAUTH-WG] Potential uses of PoP keys in CBOR Web… Hannes Tschofenig
- Re: [OAUTH-WG] Potential uses of PoP keys in CBOR… Nat Sakimura
- Re: [OAUTH-WG] [Ace] Potential uses of PoP keys i… John Bradley