> Regarding the symmetric keys: The asymmetric key can be re-used but with a > symmetric key holder-of-the-key you would have to request a fresh one every > time in order to accomplish comparable security benefits.
We have use cases for asymmetric, symmetric and for nonce (entropy), and thus would have to distinguish between these types requested and returned. Also do you always see the proof token being embedded in the message or also part of the auth code? -----Original Message----- From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net] Sent: Monday, July 09, 2012 12:05 PM To: Anthony Nadalin Cc: Hannes Tschofenig; OAuth WG Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth Hi Tony, I had to start somewhere. I had chosen the asymmetric version since it provides good security properties and there is already the BrowserID/OBC work that I had in the back of my mind. I am particularly interested to illustrate that you can accomplish the same, if not better, characteristics than BrowserID by using OAuth instead of starting from scratch. Regarding the symmetric keys: The asymmetric key can be re-used but with a symmetric key holder-of-the-key you would have to request a fresh one every time in order to accomplish comparable security benefits. Ciao Hannes On Jul 9, 2012, at 9:57 PM, Anthony Nadalin wrote: > Hannes, thanks for drafting this, couple of comments: > > 1. HOK is one of Proof of Possession methods, should we consider others? > 2. This seems just to handle asymmetric keys, need to also handle symmetric > keys > > > -----Original Message----- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Hannes Tschofenig > Sent: Monday, July 09, 2012 11:15 AM > To: OAuth WG > Subject: [OAUTH-WG] Holder-of-the-Key for OAuth > > Hi guys, > > today I submitted a short document that illustrates the concept of > holder-of-the-key for OAuth. > Here is the document: > https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk > > Your feedback is welcome > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
