Hi, I think it is a reasonable simplification to mandate that PoP key and (D)TLS Mode matches i.e. if the PoP keys is symmetric the (D)TLS mode would be PSK, if the PoP key is asymmetric (D)TLS mode would be Raw Public key.
But I think there is some compelling properties of having a symmetric PoP key and a Raw Public Key (D)TLS. In this case the Public key of the RS can be distributed to the client in the client information (the attributes accompanying the token) from AS and the PoP key as defined by PoP key distribution draft. With this setup the client can authenticate the server at connection time and then it can send its PoP token to authorization information endpoint/resource at the RS (defined in draft-ietf-ace-oauth-authz as an alternative to the HTTP Authorization header) to authorize the client. Regards //Samuel On Thu, Feb 4, 2016 at 10:54 AM, Ludwig Seitz <lud...@sics.se> wrote: > Hello list(s), > > in the process of updating our draft [1] (mainly in reaction to the > reviewer's comments) I've come up with a question I'd like to put to the > list (crossposting to OAuth as well, they might have considered that > already): > > Assuming we are using (D)TLS to secure the connection between C and RS, > assuming further that we are using proof-of-possession tokens [2], i.e. > tokens linked to a key, of which the client needs to prove possession in > order for the RS to accept the token. > > Do we need to support cases, where the type of key used with DTLS does not > match the type of key in the PoP-token? > > Example: > > The client uses its raw public key as proof of possession, but the DTLS > connection C - RS is secured with a pre-shared symmetric key. > > Is that a realistic use case? > > It would simplify the DTLS cases a lot, if I could just require the token > and the DTLS session to use the same type of key. For starters we could use > DTLS handshake to perform the proof-of-possession. > > Would there be any security issues with using the PoP key in the DTLS > handshake? > > I'm thinking of using pre-shared symmetric PoP keys as PSK as in RFC4279 > and raw public PoP keys as client-authentication key as in > RFC7250. > > > Regards, > > Ludwig > > [1] https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ > [2] https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02 > > > -- > Ludwig Seitz, PhD > SICS Swedish ICT AB > Ideon Science Park > Building Beta 2 > Scheelevägen 17 > SE-223 70 Lund > > Phone +46(0)70 349 9251 > http://www.sics.se > > > _______________________________________________ > Ace mailing list > a...@ietf.org > https://www.ietf.org/mailman/listinfo/ace > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
