IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Brian Campbell <bcampbell@pingidentity.com> Wed, 27 November 2019 19:19 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC8461209D4 for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 11:19:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3CZP4VjNM0o for <oauth@ietfa.amsl.com>; Wed, 27 Nov 2019 11:19:54 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0021D1209D3 for <oauth@ietf.org>; Wed, 27 Nov 2019 11:19:53 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id e9so25697650ljp.13 for <oauth@ietf.org>; Wed, 27 Nov 2019 11:19:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K8PUyAw2J62WTCRxaawVX2FDojA41+aAZc7rQ0eYDqM=; b=RVChpiGdB96dINsIAZJatNCIBzBu5WoM0b3786cyZkV2mVvkstg/plBJb8b5i81WC7 qcg9K6GvHJoXpBWhwe8GEbQjvBVar8i8yTTxeXdJDXKZX3gKdrWOTfhRcRmCYkTYxMXl hiEQePRsQw5bKFrKDYhjyIaBdaDr/PKjmCy3vQNjbv/92CClBIlNduj/q44NO7xI22q2 jirhfn4JGDCx+lgrzpstEz6eV1s86ynZF8ES108H/PObvFNwz50l7m3ZLJCJWSMxCxrT 0X40WLaenkSpq3rfPdiWK3GotdJeZ6hUSgHkZbKeiLf1qP5dsY5Y+rEYXOCt0C9pW/mS JhIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K8PUyAw2J62WTCRxaawVX2FDojA41+aAZc7rQ0eYDqM=; b=a9HeLUbUSCF2Tc+YG3mWxskdbg0njMUdfGsAJazL+mL/AOSJ4kSFiZ4zmU2coQ0njI wm1S8ScwFZYOVfNsr0xOMGTo0m1t/0ZwtAm3WIqKxQb7m9NHWEICnlPj60t3bnGFXw+b C22D5IEsoAh3fOZTuARU8iWn3XrDoGYHjmALejeZ8RjiZZYKb7qVdQX8Fkl+Dar4rIb6 uKnOBEb2PYt/o2K0OWQpaEqFeQoyo2NGwTMUCeZWRsBRh8POFAISFk1l3MAfWjrX9Keo qkmazyz8v0ygOu/CNNj24f0WsggI0cswBr+N6+7VejqGKOMhSvEu1sIaj1wc9pUF3l2j eaNQ==
X-Gm-Message-State: APjAAAVkL0g50ZEq82dcpDPKEK+dv7WuUCCZb3GRNXhhCT7JQCRdZqDQ FVjEto5sWu1WW12ZhIA4b5qG+lCZIMVJuFf2WkIdDNNDdoTZfSV2+096ezcEEq0u5Mea5nelWM/ 8tNah+Kx7GSVn+Q==
X-Google-Smtp-Source: APXvYqzQalEIOCUMGYA25l7fK6ujiKG13gwCzZlk7I914xNPS8+t6bTdaPT091OzmTuQzAaYwA8uVPFjRsMSTmI0Eds=
X-Received: by 2002:a2e:8855:: with SMTP id z21mr33015412ljj.212.1574882391982; Wed, 27 Nov 2019 11:19:51 -0800 (PST)
MIME-Version: 1.0
References: <3D5C611E-4B03-4A46-A22B-D8AC9FE0AC51@amazon.com> <D7215EC5-E9B5-4C9A-8E2A-1DAE8A5AA4D6@forgerock.com>
In-Reply-To: <D7215EC5-E9B5-4C9A-8E2A-1DAE8A5AA4D6@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Nov 2019 12:19:24 -0700
Message-ID: <CA+k3eCSxyS+A76qMZL4qE5jkkrdXJ5-riWX7UkOB8SYiBxw1mQ@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089a6db059858e14c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yRo2rkmjQNfBZgW2zBAghFFsyWM>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 19:19:56 -0000

On Wed, Nov 27, 2019 at 3:31 AM Neil Madden <neil.madden@forgerock.com>
wrote:

>
> That is true, but is IMO more of a hindrance than an advantage for a PoP
> scheme. The very fact that the signature is valid at every RS is why you
> need additional measures to prevent cross-RS token reuse. This downside of
> signatures for authentication was pointed out by djb 18 years ago (
> https://groups.google.com/forum/m/#!msg/sci.crypt/73yb5a9pz2Y/LNgRO7IYXOwJ),
> which is why most modern crypto protocols either use Diffie-Hellman for
> authN (https://noiseprotocol.org) or sign a hash of an interactive
> handshake transcript (TLS 1.3 -
> https://tools.ietf.org/html/rfc8446#section-4.4.3) so that the signature
> is tightly bound to a specific interactive protocol run.
>
>
Mostly for my own edification -  using Diffie-Hellman for authN (that a key
was held) was effectively at the heart of the "tentative suggestion for an
alternative design" that you had much early in this thread?

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email