Hi Zhou,
On Sep 10, 2012, at 11:51 AM, [email protected] wrote: > > And I don't think sending client the mac key or hot-sk is good. The Client and the Resource Server need to obtain this session key somehow. Only two mechanisms exist: a) Key Transport b) Key Agreement Here a key transport based mechanism is used and that's not uncommon. > Since distributing shared keys between AS and RS is already a cubersome work, > sending key to client implies the key is only one time thing, that will > further increase the complexity. > An authentication and key exchange protocols is a complex thing. No doubt about that. Ciao Hannes > > ZhouSuJing00132831/user/zte_ltd 写于 2012-09-10 16:46:47: > > > Hi, Hannes, > > Thank you for the clarity. > > Yes, it makes sense. > > Then http-mac and hot-sk are quite similar. Why do redundant work? > > > > Hannes Tschofenig <[email protected]> 写于 2012-09-10 16:06:34: > > > > > Hi Zhou, > > > > > > here is the story. > > > > > > The Authorization Server gives an Access Token to the Client and the > > > client presents that Access Token to Resource Servers. > > > This has not changed in comparison to Bearer Tokens. > > > > > > However, in addition to just presenting the Access Token by the > > > Client to the Resource Server the Client also needs to compute a > > > keyed message digest on the access request to the protected resource. > > > > > > It needs a key to compute the keyed message digest. > > > > > > This key, called MAC key, is provided by the Authorization Server > > > together with the Access Token. > > > > > > What is not said in the document is how the Resource Server obtains > > > the MAC key from the Authorization Server. It is assumed to be > > shared somehow. > > > > > > Hope that makes more sense. > > > > > > Ciao > > > Hannes > > > > > > > > > On Sep 10, 2012, at 10:57 AM, [email protected] wrote: > > > > > > > > > > > Hi, > > > > > > > > I have a question concerning draft-ietf-oauth-v2-http-mac-01: > > > > The propose is that Client obtains MAC credentials (i.e., MAC > > > keys) from Resource Server first, then Client genertate MAC access > > > token using MAC keys, and send MAC access token to RS, RS > > > recalculates MAC access token to verify the validity, right? > > > > But in Section 5.1 it says the Authorization server issues the > > > MAC access token. > > > > I am totally lost, > > > > if AS to issue MAC access token, then for RS to verify, the > > > MAC key should be shared between AS and RS, Client don't have to know > > > them; > > > > if RS to issue MAC access token, then it is not conforming to > > > OAuth 2.0 framework. > > > > > > > > > > > > _______________________________________________ > > > > OAuth mailing list > > > > [email protected] > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
