Re: [OAUTH-WG] [Ace] Questions about OAuth and DTLS

Thu, 04 Feb 2016 06:59:26 -0800 

Thank you Michael! Comments inline.

/Ludwig

On 02/04/2016 03:31 PM, Michael Richardson wrote:


Ludwig Seitz <lud...@sics.se> wrote:
     > Assuming we are using (D)TLS to secure the connection between C and RS,
     > assuming further that we are using proof-of-possession tokens [2],
     > i.e. tokens linked to a key, of which the client needs to prove 
possession in
     > order for the RS to accept the token.

     > Do we need to support cases, where the type of key used with DTLS does 
not
     > match the type of key in the PoP-token?

     > Example:

     > The client uses its raw public key as proof of possession, but the DTLS
     > connection C - RS is secured with a pre-shared symmetric key.

     > Is that a realistic use case?

Before I agree that it's unrealistic, I think it's worth going out of charter
scope and ask how much these two credentials were created/distributed.

I think that in this case, the pre-shared symmetric key is initialized
through some out-of-band (perhaps human mediated?) process, while the raw
public key did not need any other pre-arrangement.
Actually even the raw public key needs to be provisioned out-of-band to those supposed to trust it for authentication. 



So my question is then: could the out-of-band process have pre-exchanged the
raw public key (and the RS's key/certificate!) as well?



Short answer: Yes but only to the AS not to the client(s).
Long answer: I am laboring under the assumption that the AS not only provides the OAuth token and the corresponding PoP key to the client, but also some information on the communication security protocols that the RS supports. Furthermore the AS facilitates the establishment of a security context between client and RS by providing things such as a (D)TLS-PSK or the RS's raw public key, depending on the (D)TLS mode that the RS is going to support. Thus individual clients would not, a-priori, know the raw public key of a RS, but would be able to get that information from the AS. 

--
Ludwig Seitz, PhD
SICS Swedish ICT AB
Ideon Science Park
Building Beta 2
Scheelevägen 17
SE-223 70 Lund

Phone +46(0)70 349 9251
http://www.sics.se

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to