> > > > The example of asymmetrical key is flawed. Without trust (e. > g. Certificate) implemented, Client can use any pk/sk generated by > itself to confirm > > its knowledge of sk. > > It is perfectly fine but there are obviously lots of details > missing. If you look at http://tools.ietf.org/html/draft-tschofenig- > oauth-hotk-01 then see the details.
it says in draft-tschofenig-oauth-security-00 that "When the Client requests an access token the Authorization Server creates an ephemeral public / privacy key pair (PK/SK) and places the public key PK into the protected token." --- AS selects the Pk,sk, and sends sk, pk to Client in draft-tschofenig-oauth-hotk-01, it says Client includes pk_info in request, it implies sk,pk are chosen by client. They are different. And selecting pk,sk by client is reasonable. But how pk and access token are bound ? > > > > > > 3. In section 4.4 summary > > "The weak point with this approach..is.. increased complexity: > a complete key distribution protocol has to be defined." > > Don't have to be always the case. > > For example, client send H(R) in token request to AS, AS includes > the H(R) in the token, and client sends (token,R) to RS, > > RS can verify the key confirmation by client without using > preinstalled key between AS and RS. > > What you describe is a key distribution protocol. > > Ciao > Hannes > > > [email protected] 写于 2012-09-06 22:25:03: > > > > > Hi all, > > > > > > following the discussions at the last IETF meeting and the weeks > > > before Phil and I had prepared a short writeup about the threats, > > > and the security requirements. > > > > > > Here is the document: > > > http://tools.ietf.org/html/draft-tschofenig-oauth-security-00 > > > > > > Please share your views with us. Is there something missing? Is > > > further explanation needed? With what do you agree / disagree? > > > > > > Ciao > > > Hannes & Phil > > > _______________________________________________ > > > OAuth mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/oauth > > > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
