Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

Michael Richardson <> Thu, 04 February 2016 14:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4A3901B304B; Thu, 4 Feb 2016 06:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iWFwVt_9H9wj; Thu, 4 Feb 2016 06:31:45 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C9B211B304F; Thu, 4 Feb 2016 06:31:44 -0800 (PST)
Received: from ( [IPv6:2607:f0b0:f:2::247]) by (Postfix) with ESMTP id A1DA82009E; Thu, 4 Feb 2016 09:40:38 -0500 (EST)
Received: from (ip6-localhost [IPv6:::1]) by (Postfix) with ESMTP id 4544363751; Thu, 4 Feb 2016 09:31:43 -0500 (EST)
From: Michael Richardson <>
To: Ludwig Seitz <>
In-Reply-To: <>
References: <>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Thu, 04 Feb 2016 09:31:43 -0500
Message-ID: <>
Archived-At: <>
X-Mailman-Approved-At: Thu, 04 Feb 2016 06:41:31 -0800
Subject: Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Feb 2016 14:31:48 -0000

Ludwig Seitz <> wrote:
    > Assuming we are using (D)TLS to secure the connection between C and RS,
    > assuming further that we are using proof-of-possession tokens [2],
    > i.e. tokens linked to a key, of which the client needs to prove possession in
    > order for the RS to accept the token.

    > Do we need to support cases, where the type of key used with DTLS does not
    > match the type of key in the PoP-token?

    > Example:

    > The client uses its raw public key as proof of possession, but the DTLS
    > connection C - RS is secured with a pre-shared symmetric key.

    > Is that a realistic use case?

Before I agree that it's unrealistic, I think it's worth going out of charter
scope and ask how much these two credentials were created/distributed.

I think that in this case, the pre-shared symmetric key is initialized
through some out-of-band (perhaps human mediated?) process, while the raw
public key did not need any other pre-arrangement.

So my question is then: could the out-of-band process have pre-exchanged the
raw public key (and the RS's key/certificate!) as well?

    > It would simplify the DTLS cases a lot, if I could just require the token and
    > the DTLS session to use the same type of key. For starters we could use DTLS
    > handshake to perform the proof-of-possession.

I agree, that it would be better.
(I'm also concerned that we not fail into where IKEv1 did: with weak PSK
being the only interoperable mechanism...)

    > Would there be any security issues with using the PoP key in the DTLS
    > handshake?

    > I'm thinking of using pre-shared symmetric PoP keys as PSK as in RFC4279 and
    > raw public PoP keys as client-authentication key as in
    > RFC7250.

Just because I had to look it up...
4279 - Pre-Shared Key Ciphersuites for Transport Layer Security
7250 - Using Raw Public Keys in Transport Layer Security

I thought perhaps it was some more specific mechanism...

Michael Richardson <>, Sandelman Software Works
 -= IPv6 IoT consulting =-