Hi, Hannes, draft-hardjono-oauth-umacore-04 is on interaction between AS and RS utilizing OAuth; Ping's "OAuth Authorization Server Verification Interface" is on RS requesting AS to verify access token for it because RS could not do it itself. They are not on sharing long lived keys between AS and RS which may be used in calculating and verifying access token. Ping's draft is an alternative solution for verifying access token produced by knowledge of a key , e.g., MAC, without sharing the keys between AS and RS. It may be seen as a conter-example to “a complete key distribution protocol has to be defined.”
Hannes Tschofenig <[email protected]> 写于 2012-09-18 00:21:38: > Good point, Justin. I was thinking a bit too narrowly here. > > On 09/17/2012 05:13 PM, Justin Richer wrote: > > On 09/17/2012 08:11 AM, Hannes Tschofenig wrote: > >>> Since it is prefered to have long lived key shared between AS and RS in > >>> this WG, > >>> Is there any consideration for this key distribution and its security > >>> requirements? > >> So far we have had only discussions regarding the standardization of the > >> AS<->RS server interaction in the context of the UMA work. > >> > >> You may want to have a look at > >> http://tools.ietf.org/html/draft-hardjono-oauth-umacore > >> > > Not quite true. There's also the token introspection, like Ping has > > published[1] or what AOL or MITRE have both implemented. You also have > > to account for those using structured tokens (like JWTs) with signatures > > to communicate using the token itself, analogous to SAML assertions. > > > > When we brought it up during the re-chartering discussion, there seemed > > to be a number of folks willing to work on publishing something in this > > area. > > > > -- Justin > > > > [1] http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
