Hi Neil I'd be interested in seeing this draft discussed.
Dave On Wed, 5 Aug 2020 at 12:02, Neil Madden <neil.mad...@forgerock.com> wrote: > Hi all, > > You may remember me from such I-Ds as > https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-03, which proposes > adding a new encryption algorithm to JOSE. I’d like to reserve a bit of > time to discuss it at one of the upcoming interim meetings. > > The basic idea is that in many cases in OAuth and OIDC you want to ensure > both confidentiality and authenticity of some token - for example when > transferring an ID token containing PII to the client through the front > channel, or for access tokens intended to be handled by a specific RS > without online token introspection (such as the JWT access token draft). If > you have a shared secret key between the AS and the client/RS then you can > use symmetric authenticated encryption (alg=dir or alg=A128KW etc). But if > you need to use public key cryptography then currently you are limited to a > nested signed-then-encrypted JOSE structure, which produces much larger > token sizes. > > The draft adds a new “public key authenticated encryption” mode based on > ECDH in the NIST standard “one-pass unified” model. The primary advantage > for OAuth usage is that the tokens produced are more compact compared to > signing+encryption (~30% smaller for typical access/ID token sizes in > compact serialization). Performance-wise, it’s roughly equivalent.. I know > that size concerns are often a limiting factor in choosing whether to > encrypt tokens, so this should help. > > In terms of implementation, it’s essentially just a few extra lines of > code compared to an ECDH-ES implementation. (Some JOSE library APIs might > need an adjustment to accommodate the extra private key needed for > encryption/public key for decryption). > > I’ve received a few emails off-list from people interested in using it for > non-OAuth use-cases such as secure messaging applications. I think these > use-cases can be accommodated without significant changes, so I think the > OAuth WG would be a good venue for advancing this. > > I’d be interested to hear thoughts and discussion on the list prior to any > discussion at an interim meeting. > > — Neil > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Dave Tonge CTO [image: Moneyhub Enterprise] <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL t: +44 (0)117 280 5120 Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772 . Moneyhub Financial Technology Limited 2018 © DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company. -- Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register (FRN 809360) at https://register.fca.org.uk/ <https://register.fca.org.uk/>. Moneyhub Financial Technology is registered in England & Wales, company registration number 06909772. Moneyhub Financial Technology Limited 2020 © Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1 6EA. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth