[OAUTH-WG] Questions about OAuth and DTLS
Ludwig Seitz <ludwig@sics.se> Thu, 04 February 2016 09:54 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20E221A6F0E for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 01:54:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVP6UsMRM-kZ for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 01:54:55 -0800 (PST)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 062EA1A6EF9 for <oauth@ietf.org>; Thu, 4 Feb 2016 01:54:55 -0800 (PST)
Received: by mail-lb0-x231.google.com with SMTP id x4so28456830lbm.0 for <oauth@ietf.org>; Thu, 04 Feb 2016 01:54:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics-se.20150623.gappssmtp.com; s=20150623; h=to:from:subject:cc:message-id:date:user-agent:mime-version :content-type; bh=1eO+u3CLB8ILXEkq7UTjR9giVj32kiksnRfhuBf4SVo=; b=cYPj41R+ZrYppBI4lfF5myearD9BlG+fn4hqd8K3VSvVhPqXt3uWQkx+1zrmEmNSDM rrzipUT2uoMnSJ20WqTpp+vduiV99XjYn08xy3l1+90zVZvpwR4h2aDLGSziEvI6a1pm oIQVfCSFn/0wzYxtBeoUhpCdrT3E5rjjmlP7XNYN2a8WxwQdaevJCpzRhOmp3yRSTUDa IpBcS5huqjTgYu21fhfr8nA/y4JclpcogQ1PXxzE9UyolppHh9ML2CibfrJnXyM+hXy+ +L2MuDa4DCl0usJKXAredAsWw8DETmzIfiCb5admZYecq7cYUCVX+dwJ4L33hV53cLez 2ttw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:cc:message-id:date:user-agent :mime-version:content-type; bh=1eO+u3CLB8ILXEkq7UTjR9giVj32kiksnRfhuBf4SVo=; b=kILXtkz9Pi1OvNIbHCj3RObwhgGzoEfRwLotlxNnqu1OIqvjpZEe6gI6q/1NuiDvcp GdWPMOrscQAN5PGS6dXVGM3DjpzhZCP1LEQXigZLeBjou0H+NfCC4UXn++zRLOYitZlN +VCQ5EFgN+wSLo162lHjt/jxLMTBuQFrsUVsMjQC8UDIahLyz7jX7AC4NP/+QvbKf71B 4B6I9qRx0fzW3GApnwpMJLCuSc45IteGCOEferI2pYL3O+vhUFjx/vBCTQ4jGD5kqVGF 6Qmt0LFnbKnw7DLh6sL855+Y+t/A9scneSTsoaL4R+4s9iUXqm9pg6FEXWhELyaZwknT VdfQ==
X-Gm-Message-State: AG10YOT6mTd1plvXIpXtOVIUnp0PlOERonHkJtdztqSaS8VHSWiQijYRvNC34rQCotgMcImv
X-Received: by 10.112.17.70 with SMTP id m6mr3088057lbd.130.1454579693136; Thu, 04 Feb 2016 01:54:53 -0800 (PST)
Received: from Hyperion.suse ([85.235.10.186]) by smtp.gmail.com with ESMTPSA id p124sm1443740lfe.31.2016.02.04.01.54.52 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 04 Feb 2016 01:54:52 -0800 (PST)
To: ace@ietf.org
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <56B31FEB.4010204@sics.se>
Date: Thu, 04 Feb 2016 10:54:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070808040004070008020206"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yKr7IHXreRK7REYGiiExVN_EsUg>
X-Mailman-Approved-At: Thu, 04 Feb 2016 02:07:16 -0800
Cc: oauth@ietf.org
Subject: [OAUTH-WG] Questions about OAuth and DTLS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 09:54:57 -0000
Hello list(s), in the process of updating our draft [1] (mainly in reaction to the reviewer's comments) I've come up with a question I'd like to put to the list (crossposting to OAuth as well, they might have considered that already): Assuming we are using (D)TLS to secure the connection between C and RS, assuming further that we are using proof-of-possession tokens [2], i.e. tokens linked to a key, of which the client needs to prove possession in order for the RS to accept the token. Do we need to support cases, where the type of key used with DTLS does not match the type of key in the PoP-token? Example: The client uses its raw public key as proof of possession, but the DTLS connection C - RS is secured with a pre-shared symmetric key. Is that a realistic use case? It would simplify the DTLS cases a lot, if I could just require the token and the DTLS session to use the same type of key. For starters we could use DTLS handshake to perform the proof-of-possession. Would there be any security issues with using the PoP key in the DTLS handshake? I'm thinking of using pre-shared symmetric PoP keys as PSK as in RFC4279 and raw public PoP keys as client-authentication key as in RFC7250. Regards, Ludwig [1] https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ [2] https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02 -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70 349 9251 http://www.sics.se
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… John Bradley
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Ludwig Seitz
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Ludwig Seitz
- [OAUTH-WG] Questions about OAuth and DTLS Ludwig Seitz
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Michael Richardson
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Ludwig Seitz
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… John Bradley
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Ludwig Seitz
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Phil Hunt (IDM)
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Michael Richardson
- Re: [OAUTH-WG] [Ace] Questions about OAuth and DT… Samuel Erdtman