In case the UMA model of establishing and conducting loosely coupled AS-RS relationships is of interest, you can find more information here:
http://tools.ietf.org/html/draft-hardjono-oauth-umacore-10 (for the AS's protection API, the OAuth token securing that API, and the declaration of AS config data including endpoints) http://tools.ietf.org/html/draft-hardjono-oauth-resource-reg-03 (for the resource set registration sub-API) Eve On 22 Aug 2014, at 1:35 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > Hi Tiru, >> ... >>> ... >>> b) You describe a key establishment scheme to be used between the >>> resource server and the authorization server. What assumption do you make >>> about the relationship between the authorization server and the resource >>> server? Are they supposed to have a business relationship or some other >>> relationship with each other ? >> >> Authorization and Resource servers could have a business relationship >> (loosely coupled, for example Enterprise network using TURN server provided >> by third party provider like Akamai) or could be deployed in the same >> administrative domain (tightly coupled, for example Google providing both >> WebRTC and TURN servers) > > I guess you assume that there is some long-term secret (such as > asymmetric credential) in place and you then derive the symmetric keys > from it (by using DSKPP). Maybe you want to say that (in addition to the > assumed relationship between the two entities). If there is no > relationship between the two parties then they will certainly be a > challenge to get this done securely. Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
