Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document

Mike Jones <> Sun, 13 April 2014 03:31 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5A9B51A01CD for <>; Sat, 12 Apr 2014 20:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id y8WILKr585Ej for <>; Sat, 12 Apr 2014 20:31:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C93811A000B for <>; Sat, 12 Apr 2014 20:31:27 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.921.12; Sun, 13 Apr 2014 03:31:18 +0000
Received: from (2a01:111:f400:7c10::116) by (2a01:111:e400:2c5d::40) with Microsoft SMTP Server (TLS) id 15.0.913.9 via Frontend Transport; Sun, 13 Apr 2014 03:31:19 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 13 Apr 2014 03:31:18 +0000
Received: from ([]) by ([]) with mapi id 14.03.0174.002; Sun, 13 Apr 2014 03:30:47 +0000
From: Mike Jones <>
To: Chuck Mortimore <>, Hannes Tschofenig <>
Thread-Topic: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document
Thread-Index: AQHPTxiWJX+tCnUI4kWVS6o6n/baT5sOy8OAgAAmWoA=
Date: Sun, 13 Apr 2014 03:30:45 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A155FC1TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(24454002)(377454003)(53754006)(33656001)(87936001)(20776003)(2656002)(44976005)(85852003)(83072002)(19580395003)(80976001)(19580405001)(15975445006)(83322001)(6806004)(55846006)(99396002)(16236675002)(76176999)(50986999)(54356999)(46102001)(79102001)(66066001)(19300405004)(80022001)(4396001)(81342001)(2009001)(97736001)(77982001)(81542001)(71186001)(15202345003)(76482001)(92726001)(84676001)(85806002)(92566001)(74662001)(31966008)(86612001)(74502001)(512954002)(84326002)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB027;; FPR:B474D5F4.82F297D1.73E3347B.40E1D9E9.20290; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 018093A9B5
Received-SPF: Pass (: domain of designates as permitted sender) receiver=; client-ip=;;
Cc: "" <>
Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 13 Apr 2014 03:31:30 -0000

The new specification defines a way to compute a thumbprint for a JWK (or in fact, any key with a defined JWK representation).

                                                            -- Mike

From: OAuth [] On Behalf Of Chuck Mortimore
Sent: Saturday, April 12, 2014 6:09 PM
To: Hannes Tschofenig
Subject: Re: [OAUTH-WG] Proof-of-Possession (PoP) Architecture Document

Nice document.   One quick question

In Section 6, on the use of asymmetric keys, it is stated "If the client generates the key pair it includes a fingerprint of the public key (of the SubjectPublicKeyInfo structure, more precisely).  The authorization server would include this fingerprint in the access token and thereby bind the asymmetric key pair to the token."   However, it's not clear where this fingerprint would go in a JWK.   I see a cert fingerprint, but no provision for a public key fingerprint.

What's the intent here?


On Thu, Apr 3, 2014 at 1:40 AM, Hannes Tschofenig <<>> wrote:
Hi all,

as discussed during the last IETF meeting we are re-factoring our
documents on proof-of-possession. (As a reminder, here is the
presentation I have during the OAuth meeting:*

Mike had already posted draft-jones-oauth-proof-of-possession-00 and now
I have added the architecture document, which provides an overview of
the different pieces.

Here is the document for you to look at:


OAuth mailing list<>