Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document
Chuck Mortimore <cmortimore@salesforce.com> Sun, 13 April 2014 01:09 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F24A1A0261 for <oauth@ietfa.amsl.com>; Sat, 12 Apr 2014 18:09:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 264ZdjAZ5qx4 for <oauth@ietfa.amsl.com>; Sat, 12 Apr 2014 18:09:14 -0700 (PDT)
Received: from mail-ob0-f170.google.com (mail-ob0-f170.google.com [209.85.214.170]) by ietfa.amsl.com (Postfix) with ESMTP id 3A95A1A0178 for <oauth@ietf.org>; Sat, 12 Apr 2014 18:09:14 -0700 (PDT)
Received: by mail-ob0-f170.google.com with SMTP id uz6so7747652obc.1 for <oauth@ietf.org>; Sat, 12 Apr 2014 18:09:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=yPV/fFApWYY7YiD6llZwpcU8pyzqnC+rR27w3navnno=; b=P+WsFKbTfiPZRYwEgZinx2n5OfTCmroqOWh7vk6PUcV8wuve9+b7UJMrBONfFWLC3l 39yfUjF0KBXrlULt4/iEx9q2j0c+YipAdR8+faQ60rFaa8BL6qRuTQq6kTH+S/+mA2mg g1Ph8BgSqItI+FctGJ/fntdzxEhNcNMlQ8vEUVp3jXFHj3TgnUvTHpHYsPSfpCO7sXhP lyLadZvDj1Zy86A/WfSbxLzjJ9n5ZlbadUNfC6x6bKOHDhHZXWJFIoJyF6F0i6YYzQzV E6GOkg4Kzaabqjvi4NT7zILpO9vJu5pD/q7ST2OfwKekN1QwHsfer2pr0JOgdrJLkLVL VoPw==
X-Gm-Message-State: ALoCoQnmlS3Uz7yX/3dngKeFB6hvbWXgjijHIIwGeuCbYhPDrjYGC3ea6254YhN0JKH8tJdLAnKX
MIME-Version: 1.0
X-Received: by 10.60.39.131 with SMTP id p3mr27240766oek.44.1397351352035; Sat, 12 Apr 2014 18:09:12 -0700 (PDT)
Received: by 10.76.75.169 with HTTP; Sat, 12 Apr 2014 18:09:11 -0700 (PDT)
In-Reply-To: <533D1E8D.5000401@gmx.net>
References: <533D1E8D.5000401@gmx.net>
Date: Sat, 12 Apr 2014 18:09:11 -0700
Message-ID: <CA+wnMn9h9zmJxQgiRMUK=EW_0DHrdHdXHesri8GyReLS6KSJDw@mail.gmail.com>
From: Chuck Mortimore <cmortimore@salesforce.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="089e0149cc30f7006404f6e23619"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qcbRKyCTrHV19WV4QVdKoJeluoI
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 01:09:19 -0000
Nice document. One quick question In Section 6, on the use of asymmetric keys, it is stated "If the client generates the key pair it includes a fingerprint of the public key (of the SubjectPublicKeyInfo structure, more precisely). The authorization server would include this fingerprint in the access token and thereby bind the asymmetric key pair to the token." However, it's not clear where this fingerprint would go in a JWK. I see a cert fingerprint, but no provision for a public key fingerprint. What's the intent here? -cmort On Thu, Apr 3, 2014 at 1:40 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net > wrote: > Hi all, > > as discussed during the last IETF meeting we are re-factoring our > documents on proof-of-possession. (As a reminder, here is the > presentation I have during the OAuth meeting: > http://www.ietf.org/proceedings/89/slides/slides-89-oauth-0.pptx)* > > Mike had already posted draft-jones-oauth-proof-of-possession-00 and now > I have added the architecture document, which provides an overview of > the different pieces. > > Here is the document for you to look at: > http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00 > > Ciao > Hannes > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Proof-of-Possession (PoP) Architecture… Hannes Tschofenig
- Re: [OAUTH-WG] Proof-of-Possession (PoP) Architec… Chuck Mortimore
- Re: [OAUTH-WG] Proof-of-Possession (PoP) Architec… Mike Jones