Hi Hannes
On 21/12/12 10:43, Hannes Tschofenig wrote:
Hi Sergey,
in draft version -01 of draft-tschofenig-oauth-hotk we also included an example
description of how to support symmetric keys since draft version -00 only
provided support for asymmetric keys. There are essentially three ways for
proof of possession of the keying material supported in that document, namely:
(a) asymmetric keys, (b) JWS using symmetric keys, and (c) MAC tokens.
The symmetric key approach using JWS addresses a number of the requirements
listed in draft-tschofenig-oauth-security-01, including
- unique key naming (based on the JWS kid)
- algorithm indication (based on features provided by JWS) but not negotiation
- replay protection (based on features provided by JWS)
- key scoping based on features inherited from JWT
- resource owner identity confidentiality (based on JWT)
- keyed message digest computation based on JWS (which is much easier for
implementers than the canonicalization approach).
The question about key transport from the Authorization Server to the Resource
Server (via JWE) is only raised and not solved.
I think I'm getting your earlier point now that HOTK and MAC are not
equal in what they can offer, the concepts are somewhat orthogonal.
As far as MAC & HOTK are concerned, would be right to say that MAC offers:
- unique key naming (based on the MAC key id returned to the client)
- some support around replay protection based on Authorization MAC nonce
& timestamp attributes
- key scoping ? (MAC attributes are bound to an access token which will
expire)
- algorithm indication (ex, hmac-sha-1)
Note I'm not trying to prove MAC may be at the same level as JWS with
respect to a number of HOTK properties that can be supported or the
security requirements that can be met, rather I'd like to grasp what
exactly MAC offers with respect to the HOTK discussion :-)
Cheers, Sergey
Ciao
Hannes
-------- Original-Nachricht --------
Datum: Thu, 20 Dec 2012 21:49:15 +0000
Von: Sergey Beryozkin<[email protected]>
An: "<[email protected]>"<[email protected]>
Betreff: [OAUTH-WG] Few questions about HOTK
Hi Hannes, others,
I'd like to understand what is the difference between HOTK Symmetric [1]
and MAC [2].
I'm reading about HOTK Symmetric and JWS profile and it seems like HOTK
Symmetric text can support MAC.
My main question at the moment: does HOTK (Symmetric) offer an
alternative to MAC or is HOTK actually a higher-level token scheme which
can support different types of tokens ?
thanks, Sergey
[1] http://tools.ietf.org/html/draft-tschofenig-oauth-hotk-01
[2] http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-02
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
