Hi Tony, On Jul 10, 2012, at 12:17 AM, Anthony Nadalin wrote:
>> Regarding the symmetric keys: The asymmetric key can be re-used but with a >> symmetric key holder-of-the-key you would have to request a fresh one every >> time in order to accomplish comparable security benefits. > > We have use cases for asymmetric, symmetric and for nonce (entropy), I tried to describe the difference between the various approaches in this document: http://www.potaroo.net/ietf/all-ids/draft-tschofenig-oauth-signature-thoughts-00.txt There is a small performance improvement when using symmetric key techniques compared to short-lived asymmetric keys but asymmetric keys provide security benefits (since the resource server nor the authorization server ever get to see the private key). Do you really need both? And: Could you explain the nonce-based technique? > and thus would have to distinguish between these types requested and returned. Certainly true. I currently use the pk-info parameter to allow the client to hint support for this extension in the request, and the "token_type":"hotk" in the response as a confirmation that the server-side understands it and had included the public key into the access token. Ciao Hannes > > -----Original Message----- > From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net] > Sent: Monday, July 09, 2012 12:05 PM > To: Anthony Nadalin > Cc: Hannes Tschofenig; OAuth WG > Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth > > Hi Tony, > > I had to start somewhere. I had chosen the asymmetric version since it > provides good security properties and there is already the BrowserID/OBC work > that I had in the back of my mind. I am particularly interested to illustrate > that you can accomplish the same, if not better, characteristics than > BrowserID by using OAuth instead of starting from scratch. > > Regarding the symmetric keys: The asymmetric key can be re-used but with a > symmetric key holder-of-the-key you would have to request a fresh one every > time in order to accomplish comparable security benefits. > > Ciao > Hannes > > On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: > >> Hannes, thanks for drafting this, couple of comments: >> >> 1. HOK is one of Proof of Possession methods, should we consider others? >> 2. This seems just to handle asymmetric keys, need to also handle symmetric >> keys >> >> >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of >> Hannes Tschofenig >> Sent: Monday, July 09, 2012 11:15 AM >> To: OAuth WG >> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth >> >> Hi guys, >> >> today I submitted a short document that illustrates the concept of >> holder-of-the-key for OAuth. >> Here is the document: >> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk >> >> Your feedback is welcome >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> > > > > > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
