On Wed, Nov 27, 2019 at 3:31 AM Neil Madden <[email protected]> wrote:
> > That is true, but is IMO more of a hindrance than an advantage for a PoP > scheme. The very fact that the signature is valid at every RS is why you > need additional measures to prevent cross-RS token reuse. This downside of > signatures for authentication was pointed out by djb 18 years ago ( > https://groups.google.com/forum/m/#!msg/sci.crypt/73yb5a9pz2Y/LNgRO7IYXOwJ), > which is why most modern crypto protocols either use Diffie-Hellman for > authN (https://noiseprotocol.org) or sign a hash of an interactive > handshake transcript (TLS 1.3 - > https://tools.ietf.org/html/rfc8446#section-4.4.3) so that the signature > is tightly bound to a specific interactive protocol run. > > Mostly for my own edification - using Diffie-Hellman for authN (that a key was held) was effectively at the heart of the "tentative suggestion for an alternative design" that you had much early in this thread? -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
