Hi Tony, I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch.
Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. Ciao Hannes On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: > Hannes, thanks for drafting this, couple of comments: > > 1. HOK is one of Proof of Possession methods, should we consider others? > 2. This seems just to handle asymmetric keys, need to also handle symmetric > keys > > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Hannes Tschofenig > Sent: Monday, July 09, 2012 11:15 AM > To: OAuth WG > Subject: [OAUTH-WG] Holder-of-the-Key for OAuth > > Hi guys, > > today I submitted a short document that illustrates the concept of > holder-of-the-key for OAuth. > Here is the document: > https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk > > Your feedback is welcome > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
