I’d argue that it’s best practice, and in line with other parts of OAuth, if we assume the server generates it in the normal case (issuer -> presenter). Client generated token keys should be an exception, especially in the asymmetric case.
— Justin > On Nov 5, 2015, at 1:32 PM, John Bradley <ve7...@ve7jtb.com> wrote: > > Agreed the only real difference is the quality of the key. If the server > generates it, then it knows that the client is not using the fixed hex value > of DEADBEEF for everything. > > John B. >> On Nov 5, 2015, at 9:25 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> >> wrote: >> >> I agree that the effect is the same. From a security point of view there >> is only an impact if one of the two parties is in a better position to >> generate random numbers, which is the basis for generating a high >> entropy symmetric key. >> >> On 11/04/2015 11:51 PM, Mike Jones wrote: >>> Thanks for the detailed read, Brian. You’re right that in the symmetric >>> case, either the issuer or the presenter can create the symmetric PoP >>> key and share it with the other party, since the effect is equivalent. >>> I suspect that both the key distribution draft and this draft should be >>> updated with a sentence or two saying that either approach can be >>> taken. Do others concur? >>> >>> >>> >>> -- Mike >>> >>> >>> >>> *From:*Brian Campbell [mailto:bcampb...@pingidentity.com] >>> *Sent:* Thursday, November 05, 2015 7:48 AM >>> *To:* Mike Jones >>> *Cc:* Kepeng Li; oauth@ietf.org >>> *Subject:* Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs >>> spec addressing final shepherd comment >>> >>> >>> >>> +1 for the diagrams making the document more understandable. >>> >>> One little nit/question, step 1 in both Symmetric and Asymmetric keys >>> shows the Presenter sending the key to the Issuer. It's possible, >>> however, for the key to be sent the other way. Presenter sending it to >>> the Issuer is probably preferred for asymmetric, especially if the >>> client can secure the private keys in hardware. But I don't know if one >>> way or the other is clearly better for symmetric case and PoP key >>> distribution currently has it the other way >>> <https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>. >>> Should the intro text somehow mention the possibility that the Issuer >>> could create the key and send it to the Presenter? >>> >>> I know it's only the introduction but it was just something that jumped >>> out at me. >>> >>> >>> >>> >>> >>> On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones <michael.jo...@microsoft.com >>> <mailto:michael.jo...@microsoft.com>> wrote: >>> >>> Thanks for suggesting the diagrams, Kepeng. They make the document more >>> understandable. >>> >>> -- Mike >>> >>> ------------------------------------------------------------------------ >>> >>> *From: *Kepeng Li <mailto:kepeng....@alibaba-inc.com> >>> *Sent: *11/5/2015 12:57 AM >>> *To: *Mike Jones <mailto:michael.jo...@microsoft.com>; oauth@ietf.org >>> <mailto:oauth@ietf.org> >>> *Subject: *Re: Proof-of-Possession Key Semantics for JWTs spec >>> addressing final shepherd comment >>> >>> Thank you Mike. >>> >>> >>> >>> The diagrams look good to me. >>> >>> >>> >>> Kind Regards >>> >>> Kepeng >>> >>> >>> >>> *发件人**: *Mike Jones <michael.jo...@microsoft.com >>> <mailto:michael.jo...@microsoft.com>> >>> *日期**: *Thursday, 5 November, 2015 12:32 am >>> *至**: *"oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org >>> <mailto:oauth@ietf.org>> >>> *抄送**: *Li Kepeng <kepeng....@alibaba-inc.com >>> <mailto:kepeng....@alibaba-inc.com>> >>> *主题**: *Proof-of-Possession Key Semantics for JWTs spec addressing >>> final shepherd comment >>> >>> >>> >>> Proof-of-Possession Key Semantics for JWTs draft -06 addresses the >>> remaining document shepherd comment – adding use case diagrams to the >>> introduction. >>> >>> >>> >>> The updated specification is available at: >>> >>> · http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06 >>> >>> >>> >>> An HTML formatted version is also available at: >>> >>> · >>> https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html >>> >>> >>> >>> -- Mike >>> >>> >>> >>> P.S. This note was also posted at http://self-issued.info/?p=1471 and >>> as @selfissued <https://twitter.com/selfissued>. >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
