: William Mills
To: Hannes Tschofenig
Cc: "oauth@ietf.org"
Sent: Wednesday, July 11, 2012 9:52 AM
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Having re-read this I think I now understand how symmetric would work. In the
HOK model as I think of it we have 3 basic parts: opaque t
ateek mishra
; "Tschofenig, Hannes (NSN - FI/Espoo)"
; "oauth@ietf.org"
Sent: Tuesday, July 10, 2012 11:23 PM
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
I also fail to see the value of a symmetric holder-of-the-key solution and I
don't buy the performance
Hannes (NSN - FI/Espoo)"
Cc: oauth@ietf.org
Sent: Tuesday, July 10, 2012 12:00 PM
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Hannes,
we have a variety of use-cases wherein a single server ("client") repeatedly
interacts with a resource server for business purposes. T
On the specifics of OAuth bindings.
We may profit by stepping back a bit and agreeing on what threats we are
attempting to mitigate.
One threat that is on a number of peoples minds is the complete failure of PKIX.
Another is the simple fact that many clients don't validate server certificates
a
JWT is a OAuth WG item so we can do a proof semantic for that that works with
the OAuth bindings but is not necessarily specific to OAuth. Connect and
Browser ID may want to use it as well for JWT outside of OAuth.
John B.
On 2012-07-11, at 6:48 AM, Hannes Tschofenig wrote:
> It is certainl
It is certainly a plus that we can now make use of the JSON work. This will
improve interoperability and avoid making implementation mistakes if developers
use libraries (with the JOSE features).
On Jul 11, 2012, at 1:37 PM, John Bradley wrote:
> The POST of a signed blob would work with JOSE
The POST of a signed blob would work with JOSE or CMS signing the blob.
I suspect that would be more of a application level signing than OAuth though.
Though worth talking about.
I suspect a OAuth level signing might look a bit like HMAC.
The access_token might be:
1 a JWT including a JWK struct
the server-side understands it and had included the public
key into the access token.
Ciao
Hannes
>
> -Original Message-
> From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net]
> Sent: Monday, July 09, 2012 12:05 PM
> To: Anthony Nadalin
> Cc: Hannes Tschofeni
>>John Bradley wrote:
>>> I suspect that we will need two OAuth bindings. One for TLS and one for
>>> signed message.
>>
>>I agree. For instance, set “token_type”:”tls_client_cert” when the client has
>>to use TLS; set “token_type”:”cms” when the client has to digitally sign
>>messages using Cr
From: prateek mishra
> To: "Tschofenig, Hannes (NSN - FI/Espoo)"
> Cc: oauth@ietf.org
> Sent: Tuesday, July 10, 2012 12:00 PM
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
>
> Hannes,
>
> we have a variety of use-cases wherein a single server ("client
d only care about the proof based on the token it
receives.
I think part of this is a JWT/JOSE issue and part of this ia a OAuth binding or
bindings issue.
John B.
> --
> James Manger
>
> From: "Manger, James H"
> To: Hannes Tschofenig ; OAuth WG
> Sent: Monday
the
authorization in each request? Or something in between?
--
James Manger
From: "Manger, James H"
To: Hannes Tschofenig ; OAuth WG
Sent: Monday, July 9, 2012 8:54 PM
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Hannes,
> today I submitted
ithout holder-of-key.
>
> I really don't see how this works with symmetric keys in any useful way
> that's not easier via another method like MAC tokens?
>
>
> From: prateek mishra
> To: "Tschofenig, Hannes (NSN - FI/Espoo)"
> Cc: oauth@ietf.org
code and decreases interoperability.
>
>Ciao
>Hannes
>
>
>From:oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of ext
>prateek mishra
>Sent: Tuesday, July 10, 2012 8:42 PM
>To: oauth@ietf.org
>Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
.@ietf.org [mailto:oauth-boun...@ietf.org] *On
Behalf Of *ext prateek mishra
*Sent:* Tuesday, July 10, 2012 8:42 PM
*To:* oauth@ietf.org
*Subject:* Re: [OAUTH-WG] Holder-of-the-Key for OAuth
As Phil Hunt suggests, there is a need for a discussion of the
use-cases involved
How to bind the key to the
[mailto:oauth-boun...@ietf.org] On Behalf Of
Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Tuesday, July 10, 2012 10:47 AM
To: ext prateek mishra; oauth@ietf.org
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Hi Prateek,
why do you care about the symmetric key case?
Specifying more variants requires more
: oauth@ietf.org
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
As Phil Hunt suggests, there is a need for a discussion of the use-cases
involved
How to bind the key to the requestor may have several variations, I
would hope the work would cover a broad range
Given the importance of the
Message-
From: John Bradley [mailto:ve7...@ve7jtb.com]
Sent: Tuesday, July 10, 2012 9:55 AM
To: Hannes Tschofenig
Cc: Anthony Nadalin; Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Binding the key to the channel is arguably the most secure.
SSL offloading and
--Original Message-
> From: John Bradley [mailto:ve7...@ve7jtb.com]
> Sent: Tuesday, July 10, 2012 9:55 AM
> To: Hannes Tschofenig
> Cc: Anthony Nadalin; Hannes Tschofenig; OAuth WG
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
>
> Binding the key to the channel
nes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Binding the key to the channel is arguably the most secure.
SSL offloading and other factors may prevent that from working in all cases.
I suspect that we will need two OAuth bindings. One for TLS and one for sig
t; Sent: Monday, July 9, 2012 8:54 PM
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
>
> Hannes,
>
> > today I submitted a short document that illustrates the concept of
> > holder-of-the-key for OAuth.
> > Here is the document:
> > https://datatracker.
eys
>>>
>>>
>>> -----Original Message-
>>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
>>> Hannes Tschofenig
>>> Sent: Monday, July 09, 2012 11:15 AM
>>> To: OAuth WG
>>> Subject: [OAUTH-WG]
ement (entropy) cases.
>>
>> -Original Message-
>> From: John Bradley [mailto:ve7...@ve7jtb.com]
>> Sent: Tuesday, July 10, 2012 3:34 AM
>> To: Hannes Tschofenig
>> Cc: Anthony Nadalin; OAuth WG
>> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
>>
ay, July 9, 2012 8:54 PM
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Hannes,
> today I submitted a short document that illustrates the concept of
> holder-of-the-key for OAuth.
> Here is the document:
> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk
A different
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
If we do not bind the key to the channel than we will run into all sorts of
problems. The current MAC specification illustrates that quite nicely. On top
of that you can re-use the established security channel for the actual data
exchange
7...@ve7jtb.com]
> Sent: Tuesday, July 10, 2012 3:34 AM
> To: Hannes Tschofenig
> Cc: Anthony Nadalin; OAuth WG
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
>
> I agree that there are use-cases for all of the proof of possession
> mechanisms.
>
> Presentmen
:34 AM
To: Hannes Tschofenig
Cc: Anthony Nadalin; OAuth WG
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
I agree that there are use-cases for all of the proof of possession mechanisms.
Presentment methods also need to be considered.
TLS client auth may not always be the best option.
ymmetric
>> keys
>>
>>
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
>> Hannes Tschofenig
>> Sent: Monday, July 09, 2012 11:15 AM
>> To: OAuth WG
>> Subject: [OAUTH-WG] Holder-of-the-K
Hannes,
> today I submitted a short document that illustrates the concept of
> holder-of-the-key for OAuth.
> Here is the document:
> https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk
A different approach would be for the service to issue a private asymmetric key
to the client app, a
:05 PM
To: Anthony Nadalin
Cc: Hannes Tschofenig; OAuth WG
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
Hi Tony,
I had to start somewhere. I had chosen the asymmetric version since it provides
good security properties and there is already the BrowserID/OBC work that I had
in the back of m
>
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
> Hannes Tschofenig
> Sent: Monday, July 09, 2012 11:15 AM
> To: OAuth WG
> Subject: [OAUTH-WG] Holder-of-the-Key for OAuth
>
> Hi guys,
>
> today I submitt
] On Behalf Of
Hannes Tschofenig
Sent: Monday, July 09, 2012 11:15 AM
To: OAuth WG
Subject: [OAUTH-WG] Holder-of-the-Key for OAuth
Hi guys,
today I submitted a short document that illustrates the concept of
holder-of-the-key for OAuth.
Here is the document:
https://datatracker.ietf.org/doc
Hi guys,
today I submitted a short document that illustrates the concept of
holder-of-the-key for OAuth.
Here is the document:
https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk
Your feedback is welcome
Ciao
Hannes
___
OAuth mailing lis
33 matches
Mail list logo