Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
John Bradley <ve7jtb@ve7jtb.com> Fri, 03 March 2017 21:52 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3E11295DC for <oauth@ietfa.amsl.com>; Fri, 3 Mar 2017 13:52:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uFTaAyW5c_V for <oauth@ietfa.amsl.com>; Fri, 3 Mar 2017 13:52:55 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51FD9129633 for <oauth@ietf.org>; Fri, 3 Mar 2017 13:52:54 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id n127so198705514qkf.0 for <oauth@ietf.org>; Fri, 03 Mar 2017 13:52:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qmza62/j4sh87hYlmIwB0a06cZFdMDItU79kcs2aoBA=; b=pCx5vbwkIwWz9mdT5+5iYeghDlcsYdBc1GJ5BaAMLAd8ynjNr/xZJwgrICti2tYrHW 06cQP3/4pRvkW0MkoOCkcfekMDxfupEUoTZ0EOsOaGXe8E3eriXEdwys36VXbjo1pHN6 HL7mvVIV/wKUpP0AX9mpdiIuTRgw1iGtzqdDRPULonyqruahs9ZCR1Lj+RrFjADYAOyK bKkBkldtAsnmfXOTUB2D8NPxW4iEUSX43uow322/J83fNQ2Ea4TGlg1C41Ek8ZimmdLu 3DwStR/y9pCI8iGS+kZMSR957DZxbBuoyFN0Hop+NE7kRrQVR2Hfoel7+nZj7NelShwX fuqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qmza62/j4sh87hYlmIwB0a06cZFdMDItU79kcs2aoBA=; b=RtFr10/VOUctGfcQAc58Q5f+XUBas1Gqbh7A/OhaPPOm3uRzM8I/QQH0n5gKzs6NWl YiP+UPkC2BBqXF0DLbGE2lNkUXRfeSeoPYtidRlRrAW6y/io75NadPY5bnElqhmfh1F5 MgShoKADROilfDw3KSWpTgOmTYywgj+y9R3TuS2rp8aFYxrnHPFcXi8P2+oB8656V/Ph 1Ha4PpLrRSnHJ087lG9CHRFeQt3pdPX80YTDki1vGzhr+tRqmwz2DtNvg8s/mTQDcmBq 0bwcDyUxFEgKQDpcLuH9KbatqaF8GvQL9nkrfpu+sz1Y/CRVTkUZZ4yJ/ImRJwK7uEBW cJCA==
X-Gm-Message-State: AMke39nnTq1a+VHoxXjLiz2WV8xJPajb+IwPoHp+6+zDY+ZPYbccaVyVBeeW3KvEYsHsKA2o
X-Received: by 10.200.36.43 with SMTP id c40mr5429561qtc.161.1488577974043; Fri, 03 Mar 2017 13:52:54 -0800 (PST)
Received: from jbradley-r.lan ([191.115.100.98]) by smtp.gmail.com with ESMTPSA id q67sm3868778qkl.48.2017.03.03.13.52.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Mar 2017 13:52:53 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <C3DB1CD2-5E9C-4EDE-B58A-580424FC9D60@ve7jtb.com>
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 03 Mar 2017 18:52:44 -0300
In-Reply-To: <be3b92bc-323a-70ca-b675-4596c7adbd26@sics.se>
To: Ludwig Seitz <ludwig@sics.se>
References: <148797332573.3278.6515135380852468551.idtracker@ietfa.amsl.com> <D2329C0E-C3F8-4F69-88AE-584561E45B65@ve7jtb.com> <be3b92bc-323a-70ca-b675-4596c7adbd26@sics.se>
X-Mailer: Apple Mail (2.3259)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114338f66093880549da9197"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uKV_PFNy6OLNOuFHmcOdhY5_5ao>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 21:52:57 -0000
We rethought aud in https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators We wanted it to work with bearer tokens so that the AS could put a audience in the token that could not be faked by a malicious RS. For the bearer token use case it needs to be a URI to avoid the client being tricked. For a PoP token it could be logical if the token proof presentment mechanism is secure against RS spoofing. Presentment mechanisms that are bound to TLS by a EKM or via mutual TLS are OK. At the application layer the presentment would need sign over the resource URI to prevent forwarding. Something that used only a signature over a challenge would still rely on there being a unspoofable audience in the AT itself. You could securely do a secure logical resource for bearer. It could be something like the RS would provide its logical resource URI as part of a authenticate response along with the scopes required. The client could de-refrence the logical scope URI to retrieve a JSON object containing back pointers to the physical resource URI covered by that logical audience. It could also contain other RS meta-data. We do something like that in connect to allow multiple redirect URI to generate the same pairwise identifier. http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation <http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation> RS discovery has been shuffled aside in the WG foe the moment. I would be OK with res/aud being a logical identifier if it points to meta-data like aud in id_tokens points to meta-data for the AS. I think making res/aud a free form string would come back and bite us on the ass. John B. > On Mar 3, 2017, at 9:10 AM, Ludwig Seitz <ludwig@sics.se> wrote: > > On 2017-02-24 22:58, John Bradley wrote: >> I updated the references but haven't made any other changes. >> >> I had some questions about it so though it was worth keeping alive >> at-least for discussion. >> >> There have been some other questions and proposed changes. >> >> I will take a look through them and see if what may be worth updating. >> >> John B. >> >> > > Question about the 'aud' parameter: Wouldn't it be useful to allow other values than URIs for that one? > > One could easily imagine a group identifier as value of that field, where the RS internally resolves whether it is part of that group and therefore the target audience of that token. > > Regards, > > Ludwig > > -- > Ludwig Seitz, PhD > Security Lab, RISE ICT/SICS > Phone +46(0)70-349 92 51 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-d… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-pop-… John Bradley
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… Nat Sakimura
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… Ludwig Seitz
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-k… Anthony Nadalin
- Re: [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-… John Bradley