IETF Logo Mail Archive

Re: [OAUTH-WG] Few questions about HOTK

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 21 December 2012 11:30 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86B3B21F85E8 for <oauth@ietfa.amsl.com>; Fri, 21 Dec 2012 03:30:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EvTo+TILN6z for <oauth@ietfa.amsl.com>; Fri, 21 Dec 2012 03:30:00 -0800 (PST)
Received: from mail-la0-f46.google.com (mail-la0-f46.google.com [209.85.215.46]) by ietfa.amsl.com (Postfix) with ESMTP id 312E721F851B for <oauth@ietf.org>; Fri, 21 Dec 2012 03:30:00 -0800 (PST)
Received: by mail-la0-f46.google.com with SMTP id p5so4747714lag.5 for <oauth@ietf.org>; Fri, 21 Dec 2012 03:29:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=2r4fUl8Lm0UDjd01mPyYeksMikL9LJJcVgwJKpcy8Bk=; b=T7Tfl2nk09rgUFDv2TZOaRBw10kJWqlRyVKkPoAuHmxyOYYdU7q6lbn5+MyIObGy9f yVzsVeAwCjL/sRxPg/oVmdr/VCNvM+j8exfjTYeCSdT7yadc9gEv9WI226J9Yfb+Zokt BlvXhkfVvIWQljjn0hBTJ735yZCnqvcm12lGRCOfzKESEN+Hce3cUnj7HI+AKJ9+MXGB AmFKZRudM1T1cCUPAtb6PiKoFKbijr3jPZZZz8rn7mQrOFM/++KhP9/VYKdGIQd0EMLO jrgb/YiIYFHP47dFkyYdHobsAyj1P0nZiqADnx5OJ42zbkqcL1uUTbds9R2lJYEAbZv2 2G+g==
X-Received: by 10.112.26.70 with SMTP id j6mr3490633lbg.55.1356089399021; Fri, 21 Dec 2012 03:29:59 -0800 (PST)
Received: from [10.36.224.146] ([217.173.99.61]) by mx.google.com with ESMTPS id fb1sm4472688lbb.15.2012.12.21.03.29.56 (version=SSLv3 cipher=OTHER); Fri, 21 Dec 2012 03:29:57 -0800 (PST)
Message-ID: <50D44833.2030100@gmail.com>
Date: Fri, 21 Dec 2012 11:29:55 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
References: <50D387DB.4080608@gmail.com> <20121221104332.258510@gmx.net>
In-Reply-To: <20121221104332.258510@gmx.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Few questions about HOTK
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2012 11:30:01 -0000

Hi Hannes
On 21/12/12 10:43, Hannes Tschofenig wrote:
> Hi Sergey,
>
> in draft version -01 of draft-tschofenig-oauth-hotk we also included an example description of how to support symmetric keys since draft version -00 only provided support for asymmetric keys. There are essentially three ways for proof of possession of the keying material supported in that document, namely: (a) asymmetric keys, (b) JWS using symmetric keys, and (c) MAC tokens.
>
> The symmetric key approach using JWS addresses a number of the requirements listed in draft-tschofenig-oauth-security-01, including
>
>   - unique key naming (based on the JWS kid)
>   - algorithm indication (based on features provided by JWS) but not negotiation
>   - replay protection (based on features provided by JWS)
>   - key scoping based on features inherited from JWT
>   - resource owner identity confidentiality (based on JWT)
>   - keyed message digest computation based on JWS (which is much easier for implementers than the canonicalization approach).
>
> The question about key transport from the Authorization Server to the Resource Server (via JWE) is only raised and not solved.

I think I'm getting your earlier point now that HOTK and MAC are not 
equal in what they can offer, the concepts are somewhat orthogonal.

As far as MAC & HOTK are concerned, would be right to say that MAC offers:
- unique key naming (based on the MAC key id returned to the client)
- some support around replay protection based on Authorization MAC nonce 
& timestamp attributes
- key scoping ? (MAC attributes are bound to an access token which will 
expire)
- algorithm indication (ex, hmac-sha-1)

Note I'm not trying to prove MAC may be at the same level as JWS with 
respect to a number of HOTK properties that can be supported or the 
security requirements that can be met, rather I'd like to grasp what 
exactly MAC offers with respect to the HOTK discussion :-)

Cheers, Sergey

>
> Ciao
> Hannes
>
> -------- Original-Nachricht --------
>> Datum: Thu, 20 Dec 2012 21:49:15 +0000
>> Von: Sergey Beryozkin<sberyozkin@gmail.com>
>> An: "<oauth@ietf.org>"<oauth@ietf.org>
>> Betreff: [OAUTH-WG] Few questions about HOTK
>
>> Hi Hannes, others,
>>
>> I'd like to understand what is the difference between HOTK Symmetric [1]
>> and MAC [2].
>>
>> I'm reading about HOTK Symmetric and JWS profile and it seems like HOTK
>> Symmetric text can support MAC.
>>
>> My main question at the moment: does HOTK (Symmetric) offer an
>> alternative to MAC or is HOTK actually a higher-level token scheme which
>> can support different types of tokens ?
>>
>> thanks, Sergey
>>
>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01
>> [2] http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-02
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.34.0 | Report a Bug | By Email | System Status