Hi Sergey, in draft version -01 of draft-tschofenig-oauth-hotk we also included an example description of how to support symmetric keys since draft version -00 only provided support for asymmetric keys. There are essentially three ways for proof of possession of the keying material supported in that document, namely: (a) asymmetric keys, (b) JWS using symmetric keys, and (c) MAC tokens.
The symmetric key approach using JWS addresses a number of the requirements listed in draft-tschofenig-oauth-security-01, including - unique key naming (based on the JWS kid) - algorithm indication (based on features provided by JWS) but not negotiation - replay protection (based on features provided by JWS) - key scoping based on features inherited from JWT - resource owner identity confidentiality (based on JWT) - keyed message digest computation based on JWS (which is much easier for implementers than the canonicalization approach). The question about key transport from the Authorization Server to the Resource Server (via JWE) is only raised and not solved. Ciao Hannes -------- Original-Nachricht -------- > Datum: Thu, 20 Dec 2012 21:49:15 +0000 > Von: Sergey Beryozkin <[email protected]> > An: "<[email protected]>" <[email protected]> > Betreff: [OAUTH-WG] Few questions about HOTK > Hi Hannes, others, > > I'd like to understand what is the difference between HOTK Symmetric [1] > and MAC [2]. > > I'm reading about HOTK Symmetric and JWS profile and it seems like HOTK > Symmetric text can support MAC. > > My main question at the moment: does HOTK (Symmetric) offer an > alternative to MAC or is HOTK actually a higher-level token scheme which > can support different types of tokens ? > > thanks, Sergey > > [1] http://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01 > [2] http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-02 > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
