Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

Mon, 08 Feb 2016 00:03:04 -0800 

Michael,

thank you for answering, this is getting very interesting.
Comments inline.

/Ludwig


On 02/05/2016 04:26 PM, Michael Richardson wrote:


First, let me say that I confused RS and RO/AS in my mind when reading before.

Starting again, I think that any PSK for authentication between C<->RS is
unrealistic.
Actually I don't want to authenticate the client, I just want do a proof-of-possession for the (symmetric) key that is bound to the token. Wouldn't the DTLS-PSK handshake provide that proof? 

Detailed scenario (skip if the above makes sense):
Client has a PoP token with a symmetric PoP key. Client wants to use DTLS-PSK towards the RS with the symmetric PoP key as PSK to get a.) A secure connection and b.) do the proof-of-possession towards the RS. 



     >> So my question is then: could the out-of-band process have
     >> pre-exchanged the raw public key (and the RS's key/certificate!) as
     >> well?

     > Short answer: Yes but only to the AS not to the client(s).

     > Long answer: I am laboring under the assumption that the AS not only
     > provides the OAuth token and the corresponding PoP key to the client,
     > but also some information on the communication security protocols that
     > the RS supports. Furthermore the AS facilitates the establishment of a
     > security context between client and RS by providing things such as a
     > (D)TLS-PSK or the RS's raw public key, depending on the (D)TLS mode
     > that the RS is going to support. Thus individual clients would not,
     > a-priori, know the raw public key of a RS, but would be able to get
     > that information from the AS.

That seems entirely reasonable.  Would the OAuth token not also be bound to
the Raw RSA key of C?    So RS would never need to be told about C's key,
because the AS would have told it "key XYZ can access resource ABC" in the
OAuth token.
Yes if the PoP token uses a public key as PoP key. C could even generate an ephemeral key-pair just for this token (and the DTLS-RPK handshake). 



--
Ludwig Seitz, PhD
SICS Swedish ICT AB
Ideon Science Park
Building Beta 2
Scheelevägen 17
SE-223 70 Lund

Phone +46(0)70 349 9251
http://www.sics.se

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to