> On 27 Nov 2019, at 19:19, Brian Campbell <bcampb...@pingidentity.com> wrote:
>
>> On Wed, Nov 27, 2019 at 3:31 AM Neil Madden <neil.mad...@forgerock.com>
>> wrote:
>>
>> That is true, but is IMO more of a hindrance than an advantage for a PoP
>> scheme. The very fact that the signature is valid at every RS is why you
>> need additional measures to prevent cross-RS token reuse. This downside of
>> signatures for authentication was pointed out by djb 18 years ago
>> (https://groups..google.com/forum/m/#!msg/sci.crypt/73yb5a9pz2Y/LNgRO7IYXOwJ),
>> which is why most modern crypto protocols either use Diffie-Hellman for
>> authN (https://noiseprotocol.org) or sign a hash of an interactive handshake
>> transcript (TLS 1..3 - https://tools.ietf.org/html/rfc8446#section-4.4.3) so
>> that the signature is tightly bound to a specific interactive protocol run.
>>
>
> Mostly for my own edification - using Diffie-Hellman for authN (that a key
> was held) was effectively at the heart of the "tentative suggestion for an
> alternative design" that you had much early in this thread?
Yes, exactly.
— Neil
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
