[OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Mike Jones <Michael.Jones@microsoft.com> Wed, 02 April 2014 03:37 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78DD01A00DA for <oauth@ietfa.amsl.com>; Tue, 1 Apr 2014 20:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EDh9UZ8vt_W for <oauth@ietfa.amsl.com>; Tue, 1 Apr 2014 20:37:30 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 76D001A00C6 for <oauth@ietf.org>; Tue, 1 Apr 2014 20:37:30 -0700 (PDT)
Received: from BL2PR03CA018.namprd03.prod.outlook.com (10.141.66.26) by BY2PR03MB027.namprd03.prod.outlook.com (10.255.240.41) with Microsoft SMTP Server (TLS) id 15.0.913.9; Wed, 2 Apr 2014 03:37:25 +0000
Received: from BN1AFFO11FD015.protection.gbl (2a01:111:f400:7c10::192) by BL2PR03CA018.outlook.office365.com (2a01:111:e400:c1b::26) with Microsoft SMTP Server (TLS) id 15.0.898.11 via Frontend Transport; Wed, 2 Apr 2014 03:37:25 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD015.mail.protection.outlook.com (10.58.52.75) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 2 Apr 2014 03:37:24 +0000
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (157.54.79.193) by TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.3.174.2; Wed, 2 Apr 2014 03:36:54 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.193]) with mapi id 14.03.0174.002; Wed, 2 Apr 2014 03:36:54 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655A==
Date: Wed, 2 Apr 2014 03:36:53 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.33]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A132083TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(199002)(189002)(81342001)(54356001)(90146001)?= =?us-ascii?Q?(87266001)(2656002)(65816001)(56776001)(85806002)(77982001)(?= =?us-ascii?Q?97736001)(83072002)(59766001)(81686001)(85852003)(74662001)(?= =?us-ascii?Q?54316002)(15975445006)(84676001)(16236675002)(76482001)(5681?= =?us-ascii?Q?6005)(66066001)(69226001)(55846006)(80022001)(31966008)(7118?= =?us-ascii?Q?6001)(87936001)(81816001)(83322001)(16796002)(44976005)(1930?= =?us-ascii?Q?0405004)(512954002)(93516002)(95416001)(76786001)(46102001)(?= =?us-ascii?Q?92566001)(86362001)(79102001)(94316002)(95666003)(98676001)(?= =?us-ascii?Q?92726001)(74706001)(47446002)(74876001)(76796001)(77096001)(?= =?us-ascii?Q?86612001)(20776003)(49866001)(74366001)(63696002)(2009001)(7?= =?us-ascii?Q?4502001)(93136001)(33656001)(53806001)(76176001)(85306002)(9?= =?us-ascii?Q?7186001)(51856001)(50986001)(97336001)(84326002)(47736001)(9?= =?us-ascii?Q?4946001)(81542001)(19580395003)(16297215004)(15202345003)(80?= =?us-ascii?Q?976001)(4396001)(47976001)(99396002)(6606295002); DIR:OUT; SFP?= =?us-ascii?Q?:1101; SCL:1; SRVR:BY2PR03MB027; H:mail.microsoft.com; FPR:FC405?= =?us-ascii?Q?CBA.9E3A66D6.F7D1BF4B.44F0F559.201DC; MLV:sfv; PTR:InfoDomainN?= =?us-ascii?Q?onexistent; A:1; MX:1; LANG:en; ?=
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0169092318
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/00QDP0CFO6mdpACunldhFfqhVWE
Subject: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 03:37:34 -0000

I've written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig.  Quoting from the abstract:

This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things.

The specification is available at:

*        http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00

An HTML formatted version is available at:

*        http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html

                                                            -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1210 and as @selfissued.