On 02/07/2016 06:24 PM, Samuel Erdtman wrote:
Hi,
~snip~
But I think there is some compelling properties of having a symmetric PoP key and a Raw Public Key (D)TLS. In this case the Public key of the RS can be distributed to the client in the client information (the attributes accompanying the token) from AS and the PoP key as defined by PoP key distribution draft. With this setup the client can authenticate the server at connection time and then it can send its PoP token to authorization information endpoint/resource at the RS (defined in draft-ietf-ace-oauth-authz as an alternative to the HTTP Authorization header) to authorize the client.
In this case you need to perform an additional proof-of-possession step. Worse, we have to define a new protocol for this.
@OAuth: It is not really clear to me from reading the PoP drafts, what the acceptable proof-of-possession methods are. Is this some work that the WG is planning to do?
/Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70 349 9251 http://www.sics.se
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
