Hannes, Thanks for your proposal. I'm glad to see work on this starting.
I think use cases may demand more than just channel security. A lot of cases do not have end-to-end TLS channels available. So while this could be stated to be an improvement it may not achieve the end-to-end authentication of clients being looked for. One aspect of the MAC draft that I did like was that it involved a changing authorization value which essentially gave a message centric security model. Would it be appropriate to start a discussion on the use cases the WG would like to address? Phil @independentid www.independentid.com phil.h...@oracle.com On 2012-07-10, at 3:33 AM, John Bradley wrote: > I agree that there are use-cases for all of the proof of possession > mechanisms. > > Presentment methods also need to be considered. > > TLS client auth may not always be the best option. Sometimes message signing > is more appropriate. > > One question is if we want to do a generic proof of possession for JWT that > is useful outside OAuth, or something OAuth specific. The answer may be a > combined approach. > > I think this is a good start to get discussion going. > > John B. > On 2012-07-09, at 3:05 PM, Hannes Tschofenig wrote: > >> Hi Tony, >> >> I had to start somewhere. I had chosen the asymmetric version since it >> provides good security properties and there is already the BrowserID/OBC >> work that I had in the back of my mind. I am particularly interested to >> illustrate that you can accomplish the same, if not better, characteristics >> than BrowserID by using OAuth instead of starting from scratch. >> >> Regarding the symmetric keys: The asymmetric key can be re-used but with a >> symmetric key holder-of-the-key you would have to request a fresh one every >> time in order to accomplish comparable security benefits. >> >> Ciao >> Hannes >> >> On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: >> >>> Hannes, thanks for drafting this, couple of comments: >>> >>> 1. HOK is one of Proof of Possession methods, should we consider others? >>> 2. This seems just to handle asymmetric keys, need to also handle symmetric >>> keys >>> >>> >>> -----Original Message----- >>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >>> Hannes Tschofenig >>> Sent: Monday, July 09, 2012 11:15 AM >>> To: OAuth WG >>> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth >>> >>> Hi guys, >>> >>> today I submitted a short document that illustrates the concept of >>> holder-of-the-key for OAuth. >>> Here is the document: >>> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk >>> >>> Your feedback is welcome >>> >>> Ciao >>> Hannes >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
