Hi Ben, currently we don't seem to have an indication that there is an attack possible. It would be interesting to see whether we could still construct one. Maybe you can dig out other protocols that have tried to accomplish similar goals (and failed).
Ciao Hannes -----Original Message----- From: OAuth <oauth-boun...@ietf.org> On Behalf Of Benjamin Kaduk Sent: Sonntag, 28. April 2019 05:58 To: Luca Arnaboldi <luca.arnabo...@arm.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Formal analysis of draft-ietf-oauth-pop-key-distribution On Fri, Apr 26, 2019 at 10:51:53AM +0000, Luca Arnaboldi wrote: > * I spoke with Hannes after the IETF meeting in Prague and he expressed the > need to enhance our formal analysis (as presented at the OAuth Security > Workshop) to verify whether it is necessary to demonstrate possession of the > private key by the client to the authorization server. > > > * The analysis checked whether it was necessary for a proof of possession to > be performed between the client and AS to ensure security. The result was > that even without verification by the AS the client would not be able to > access the resource from the RS without possessing the secret key associated > to the token (assuming the check is done correctly by the RS). My apologies for not checking the model directly (I'm on a plane), but I'll note that we have seen similar PoP scenarios in other protocols where a misbehaving client will deliberately try to bind the (valid) key from another party to a token it authorizes, which can sometimes result in the other party taking actions different from the ones they intended. So I'd suggest being careful about what scope of attacks are considered. Thanks, Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
