Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
Brian Campbell <bcampbell@pingidentity.com> Wed, 27 November 2019 19:19 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC8461209D4 for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 11:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3CZP4VjNM0o for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 11:19:54 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0021D1209D3 for <oauth@ietf.org>; Wed, 27 Nov 2019 11:19:53 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id e9so25697650ljp.13 for <oauth@ietf.org>; Wed, 27 Nov 2019 11:19:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K8PUyAw2J62WTCRxaawVX2FDojA41+aAZc7rQ0eYDqM=; b=RVChpiGdB96dINsIAZJatNCIBzBu5WoM0b3786cyZkV2mVvkstg/plBJb8b5i81WC7 qcg9K6GvHJoXpBWhwe8GEbQjvBVar8i8yTTxeXdJDXKZX3gKdrWOTfhRcRmCYkTYxMXl hiEQePRsQw5bKFrKDYhjyIaBdaDr/PKjmCy3vQNjbv/92CClBIlNduj/q44NO7xI22q2 jirhfn4JGDCx+lgrzpstEz6eV1s86ynZF8ES108H/PObvFNwz50l7m3ZLJCJWSMxCxrT 0X40WLaenkSpq3rfPdiWK3GotdJeZ6hUSgHkZbKeiLf1qP5dsY5Y+rEYXOCt0C9pW/mS JhIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K8PUyAw2J62WTCRxaawVX2FDojA41+aAZc7rQ0eYDqM=; b=a9HeLUbUSCF2Tc+YG3mWxskdbg0njMUdfGsAJazL+mL/AOSJ4kSFiZ4zmU2coQ0njI wm1S8ScwFZYOVfNsr0xOMGTo0m1t/0ZwtAm3WIqKxQb7m9NHWEICnlPj60t3bnGFXw+b C22D5IEsoAh3fOZTuARU8iWn3XrDoGYHjmALejeZ8RjiZZYKb7qVdQX8Fkl+Dar4rIb6 uKnOBEb2PYt/o2K0OWQpaEqFeQoyo2NGwTMUCeZWRsBRh8POFAISFk1l3MAfWjrX9Keo qkmazyz8v0ygOu/CNNj24f0WsggI0cswBr+N6+7VejqGKOMhSvEu1sIaj1wc9pUF3l2j eaNQ==
X-Gm-Message-State: APjAAAVkL0g50ZEq82dcpDPKEK+dv7WuUCCZb3GRNXhhCT7JQCRdZqDQ FVjEto5sWu1WW12ZhIA4b5qG+lCZIMVJuFf2WkIdDNNDdoTZfSV2+096ezcEEq0u5Mea5nelWM/ 8tNah+Kx7GSVn+Q==
X-Google-Smtp-Source: APXvYqzQalEIOCUMGYA25l7fK6ujiKG13gwCzZlk7I914xNPS8+t6bTdaPT091OzmTuQzAaYwA8uVPFjRsMSTmI0Eds=
X-Received: by 2002:a2e:8855:: with SMTP id z21mr33015412ljj.212.1574882391982; Wed, 27 Nov 2019 11:19:51 -0800 (PST)
MIME-Version: 1.0
References: <3D5C611E-4B03-4A46-A22B-D8AC9FE0AC51@amazon.com> <D7215EC5-E9B5-4C9A-8E2A-1DAE8A5AA4D6@forgerock.com>
In-Reply-To: <D7215EC5-E9B5-4C9A-8E2A-1DAE8A5AA4D6@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Nov 2019 12:19:24 -0700
Message-ID: <CA+k3eCSxyS+A76qMZL4qE5jkkrdXJ5-riWX7UkOB8SYiBxw1mQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089a6db059858e14c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yRo2rkmjQNfBZgW2zBAghFFsyWM>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 19:19:56 -0000
On Wed, Nov 27, 2019 at 3:31 AM Neil Madden <neil.madden@forgerock.com> wrote: > > That is true, but is IMO more of a hindrance than an advantage for a PoP > scheme. The very fact that the signature is valid at every RS is why you > need additional measures to prevent cross-RS token reuse. This downside of > signatures for authentication was pointed out by djb 18 years ago ( > https://groups.google.com/forum/m/#!msg/sci.crypt/73yb5a9pz2Y/LNgRO7IYXOwJ), > which is why most modern crypto protocols either use Diffie-Hellman for > authN (https://noiseprotocol.org) or sign a hash of an interactive > handshake transcript (TLS 1.3 - > https://tools.ietf.org/html/rfc8446#section-4.4.3) so that the signature > is tightly bound to a specific interactive protocol run. > > Mostly for my own edification - using Diffie-Hellman for authN (that a key was held) was effectively at the heart of the "tentative suggestion for an alternative design" that you had much early in this thread? -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Denis
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Paul Querna
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… David Waite
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Rob Otto
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Rob Otto
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Petteri Stenius
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Jim Manico
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Dave Tonge
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Jared Jennings
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Richard Backman, Annabelle
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Versio… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: New Versio… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Rifaat Shekh-Yusef