Hello Hannes, Kepeng, ACE I used the PoP key concept, to map on top of it other Authenticated Key Establishment (AKE) exchanges (aside from the default one on OAuth that uses timestamps). This generic use I presented on IETF 95 [1].
More relevant to the current question on ACE, I put this idea more close to reality, I co-authored a paper which we do the actual mapping of one AKE protocol to the ACE-OAuth architecture using CWT, "Nonce-based authenticated key establishment over OAuth 2.0 IoT proof-of-possession architecture" [2]. On this google doc [3] there is more detail about the actual messages that should be sent. This was more than one year ago. So it differs with the current state of the are of ACE WG, and CWT. The high level solution goes as this: the CWT have to be linked to the current run of the AKE protocol. In order to achieve so I chose to extend the COSE_Key object to be able to transport relevant authenticated key establishment information (nonces and entities-id's). So the final CWT will contain (on the "ck") a COSE_Key that will allow the RS to validate the full AKE exchange: hence the CWT is fresh and we have also the key that goes with it. Today I'm not sure if I'll do it the same way (extend the COSE_Key object) , but rather I think a more generic CBOR object can be defined with appropriate security services to transport different information needed by the AKE protocol exchange, that in the end will be also liked to the CWT. Some time ago, we had some talks with Ludwig and Göran to try to put this into practice-IETF, but was indeed a little bit haunting to define a generic framework to run on top of it any AKE protocol linked to a PoP-key/CWT. (So, that's why we went first for a time synchronization solution, to at least enable the current IETF PoP exchange to work) I don't know if there is real need for nonce-based PoP Keys/CWT solutions on industry. My 2 cents, Renzo [1] https://www.ietf.org/proceedings/95/slides/slides-95-ace-3.pdf [2] https://hal.archives-ouvertes.fr/hal-01522039v1 [3] https://docs.google.com/document/d/1xzc3hUJhCEtT6_HoW2gLoBiXfNk-ID57gUs6XftlIIc/edit?usp=sharing On Mon, Jun 12, 2017 at 8:19 PM, Hannes Tschofenig <[email protected]> wrote: > Hi all, > > RFC 7800 defines how to communicate Proof of Possession (PoP) keys for > JSON Web Tokens (JWTs) [RFC 7519]. The CBOR Web Token (CWT) > draft-ietf-ace-cbor-web-token spec defines the CBOR/COSE equivalent of > the JSON/JOSE JWT spec. > > The ACE working group is planning to also define a CBOR/COSE equivalent > of RFC 7800 and is interested in knowing how you might use CBOR > proof-of-possession keys for CWTs. > > Please drop us a message if you are using CBOR PoP keys for CWTs. We > would like to learn more about your usage. > > Ciao > Hannes & Kepeng > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
