At the informal Token Binding meeting we had a discussion of Java servers
supporting TB, the support would have to come out of JSSE, kere is the analysis
on what it would take to change JSSE
Implementing 5705 itself, would not take too long and appears to be pretty
straightforward. The EKM is created by using the same PRF function as the
creating of the key material from the TLS Master secret.
In TLS,
To generate the key material, compute
key_block = PRF(SecurityParameters.master_secret,
"key expansion",
SecurityParameters.server_random +
SecurityParameters.client_random);
For EKM,
If no context is provided, it then computes:
PRF(SecurityParameters.master_secret, label,
SecurityParameters.client_random +
SecurityParameters.server_random
)[length]
If context is provided, it computes:
PRF(SecurityParameters.master_secret, label,
SecurityParameters.client_random +
SecurityParameters.server_random +
context_value_length + context_value
)[length]
As it states in the RFC: "The issue is the designing a secure mechanism that
uses exporters is not necessarily straightforward. This document only provides
the exporter mechanism, but the problem of agreeing on the surrounding context
and the meaning of the information passed to and from the exporter remains. Any
new uses of the exporter mechanism should be subject to careful review."
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
