Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd comment

Wed, 04 Nov 2015 17:45:58 -0800 

Good point.  I'll republish in the next day or so adding that to the security 
considerations.
                                -- Mike

-----Original Message-----
From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net] 
Sent: Thursday, November 05, 2015 9:26 AM
To: Mike Jones; Brian Campbell
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec 
addressing final shepherd comment

I agree that the effect is the same. From a security point of view there is 
only an impact if one of the two parties is in a better position to generate 
random numbers, which is the basis for generating a high entropy symmetric key.

On 11/04/2015 11:51 PM, Mike Jones wrote:
> Thanks for the detailed read, Brian.  You’re right that in the 
> symmetric case, either the issuer or the presenter can create the 
> symmetric PoP key and share it with the other party, since the effect is 
> equivalent.
> I suspect that both the key distribution draft and this draft should 
> be updated with a sentence or two saying that either approach can be 
> taken.  Do others concur?
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> *From:*Brian Campbell [mailto:bcampb...@pingidentity.com]
> *Sent:* Thursday, November 05, 2015 7:48 AM
> *To:* Mike Jones
> *Cc:* Kepeng Li; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs 
> spec addressing final shepherd comment
> 
>  
> 
> +1 for the diagrams making the document more understandable.
> 
> One little nit/question, step 1 in both Symmetric and Asymmetric keys 
> shows the Presenter sending the key to the Issuer. It's possible, 
> however, for the key to be sent the other way. Presenter sending it to 
> the Issuer is probably preferred for asymmetric, especially if the 
> client can secure the private keys in hardware. But I don't know if 
> one way or the other is clearly better for symmetric case and PoP key 
> distribution currently has it the other way 
> <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>.
> Should the intro text somehow mention the possibility that the Issuer 
> could create the key and send it to the Presenter?
> 
> I know it's only the introduction but it was just something that 
> jumped out at me.
> 
>  
> 
>  
> 
> On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones 
> <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com>> wrote:
> 
> Thanks for suggesting the diagrams, Kepeng. They make the document 
> more understandable.
> 
> -- Mike
> 
> ----------------------------------------------------------------------
> --
> 
> *From: *Kepeng Li <mailto:kepeng....@alibaba-inc.com>
> *Sent: *‎11/‎5/‎2015 12:57 AM
> *To: *Mike Jones <mailto:michael.jo...@microsoft.com>; oauth@ietf.org 
> <mailto:oauth@ietf.org>
> *Subject: *Re: Proof-of-Possession Key Semantics for JWTs spec 
> addressing final shepherd comment
> 
> Thank you Mike.
> 
>  
> 
> The diagrams look good to me.
> 
>  
> 
> Kind Regards
> 
> Kepeng
> 
>  
> 
> *发件人**: *Mike Jones <michael.jo...@microsoft.com 
> <mailto:michael.jo...@microsoft.com>>
> *日期**: *Thursday, 5 November, 2015 12:32 am
> *至**: *"oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org 
> <mailto:oauth@ietf.org>>
> *抄送**: *Li Kepeng <kepeng....@alibaba-inc.com 
> <mailto:kepeng....@alibaba-inc.com>>
> *主题**: *Proof-of-Possession Key Semantics for JWTs spec addressing 
> final shepherd comment
> 
>  
> 
> Proof-of-Possession Key Semantics for JWTs draft -06 addresses the 
> remaining document shepherd comment – adding use case diagrams to the 
> introduction.
> 
>  
> 
> The updated specification is available at:
> 
> ·        http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06
> 
>  
> 
> An HTML formatted version is also available at:
> 
> ·       
> https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.
> html
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> P.S.  This note was also posted at http://self-issued.info/?p=1471 and 
> as @selfissued <https://twitter.com/selfissued>.
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org> 
> https://www.ietf.org/mailman/listinfo/oauth
> 
>  
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to