Mark, Many thanks for posting this. I am thinking of the next step.
This paper proposes to use the Password-Based Asymmetric Key Exchange protocol. Many messages ago, I had proposed to use the Password-Based DH key exchange for the symmetric key generation.
Another option is to mandate some form of PKI for all OAuth actors. I did not want to bring this discussion until 2.0 is finished and published. (I do believe that the current security analysis and considerations lead by Torsten has been comprehensive, and therefore 2.0 ought to move to conclusion.) For the future, maybe you could work with your colleagues to compare the PBAKE and PAK specifically as they apply to OAuth? You might also consider publishing PBAKE in the IETF.
Igor Mark Mcgloin wrote:
... Here is another example of the type of analysis I am looking for, this one covering Oauth 1.0a from our research lab http://domino.watson.ibm.com/library/cyberdig.nsf/papers/B0D33665257DD3A0852576410043BCDD/$File/rc24856.pdf
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
