I agree with what John wrote below. Besides, PoP is more natural to say than
HoK and certainly more natural to say than HOTK. I'd like us to stay with the
term Proof-of-Possession (PoP).
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of John Bradley
Sent: Thursday, April 03, 2014 11:10 AM
To: Phil Hunt
Cc: [email protected]
Subject: Re: [OAUTH-WG] New Version Notification for
draft-hunt-oauth-pop-architecture-00.txt
Some people and specs associate holder of key with asymmetric keys. Proof of
possession is thought to be a broader category including symmetric and key
agreement eg http://tools.ietf.org/html/rfc2875.
NIST defines the term PoP Protocol
http://fismapedia.org/index.php?title=Term:Proof_of_Possession_Protocol
In SAML the saml:SubjectConfirmation method is called
urn:oasis:names:tc:SAML:2.0:cm:holder-of-key
In WS* the term proof of possession is more common.
So I think for this document as an overview "Proof of Possession (PoP)
Architecture" is fine.
John B.
On Apr 3, 2014, at 12:41 PM, Phil Hunt
<[email protected]<mailto:[email protected]>> wrote:
What was wrong with HOK?
Aside: Why was "the" so important in HOTK?
Phil
@independentid
www.independentid.com<http://www.independentid.com/>
[email protected]<mailto:[email protected]>
On Apr 3, 2014, at 9:37 AM, Anil Saldhana
<[email protected]<mailto:[email protected]>> wrote:
Prateek,
why not just use "proof"?
draft-hunt-oauth-proof-architecture-00.txt
Is that allowed by IETF?
Regards,
Anil
On 04/03/2014 11:30 AM, Prateek Mishra wrote:
"key confirmed" or "key confirmation" is another term that is widely used for
these use-cases
I really *like* the name "proof of possession", but I think the acronym PoP is
going to be confused with POP. HOTK has the advantage of not being a homonym
for aything else. What about "Possession Proof"?
-bill
--------------------------------
William J. Mills
"Paranoid" MUX Yahoo!
On Thursday, April 3, 2014 1:38 AM,
"[email protected]"<mailto:[email protected]>
<[email protected]><mailto:[email protected]> wrote:
A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.
Name: draft-hunt-oauth-pop-architecture
Revision: 00
Title: OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
Document date: 2014-04-03
Group: Individual Submission
Pages: 21
URL:
http://www.ietf.org/internet-drafts/draft-hunt-oauth-pop-architecture-00.txt
Status:
https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/
Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-00
Abstract:
The OAuth 2.0 bearer token specification, as defined in RFC 6750,
allows any party in possession of a bearer token (a "bearer") to get
access to the associated resources (without demonstrating possession
of a cryptographic key). To prevent misuse, bearer tokens must to be
protected from disclosure in transit and at rest.
Some scenarios demand additional security protection whereby a client
needs to demonstrate possession of cryptographic keying material when
accessing a protected resource. This document motivates the
development of the OAuth 2.0 proof-of-possession security mechanism.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at
tools.ietf.org<http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
