Re: [OAUTH-WG] Review comments to PoP document

Mike Jones <> Mon, 19 October 2015 23:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5E2891B2D4C for <>; Mon, 19 Oct 2015 16:02:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cKYjXEki0w_c for <>; Mon, 19 Oct 2015 16:02:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EE7761AC429 for <>; Mon, 19 Oct 2015 16:02:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PeF38BPrwBzK/sBlv9aPDjoS83QnEij4PM8r5MeVZtM=; b=c+Umo0sece+BuvYGVo6jO1HVUCBzMZ0jZk/Hd8ljky6mk+lwOWhtJGx8wH8x7uLfcsy4912lAlpOMZqR+2uGDwKwaQbLsDgzZLQb1T7dKgTW25ez1UrxMhZLQb0oVQYcaQKQVTJLH8A43QMr44JbXXDheXkzariBFhz7lQkjzwk=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.300.14; Mon, 19 Oct 2015 23:02:23 +0000
Received: from ([]) by ([]) with mapi id 15.01.0300.010; Mon, 19 Oct 2015 23:02:24 +0000
From: Mike Jones <>
To: Kepeng Li <>, "" <>
Thread-Topic: Review comments to PoP document
Thread-Index: AQHRAQy64oow7N4z4U6J9u6BZvdoP55hw/IQgACWtwCAEScXQA==
Date: Mon, 19 Oct 2015 23:02:23 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:CsltWEMX0CKiRJCZqZQGcpRN8ARKIw0RFCvojQsKXOUACyu1i06lwC2y787ms+2NnbbM3pdqxeP2l2s0etRNxYCjyarPs8jjVUYGi3AfTTYecobesuYaXyb/QomVmnK8D6yyepNBaICbHCorDUxskA==; 24:q6g4+0zrryQolIa1mkS7o5mFDVJs9BiViGqg8qz41abiYcQd4Ij7lJNrFzgtsrNYGHD8ARg0d1Sb0sciCzVcuLSRp7DdC+ttIz9WoBDmK28=; 20:M2ryVD1e+bCk7tLonelefIVaZFVL3Joc2uutCnPFTnYWQmV9FwpQfutzuOIyYdH1mLaH8bSBvvWt3n+jaeEbMw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(189930954265078)(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(5005006)(520078)(3002001)(61426024)(61427024); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 07349BFAD2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(189002)(199003)(51914003)(53754006)(43784003)(71364002)(77096005)(10090500001)(15975445007)(97736004)(19625215002)(33656002)(10290500002)(81156007)(76576001)(5005710100001)(10400500002)(19609705001)(74316001)(66066001)(189998001)(5002640100001)(2900100001)(5004730100002)(2950100001)(86362001)(86612001)(102836002)(107886002)(5001770100001)(122556002)(101416001)(5001960100002)(5007970100001)(64706001)(87936001)(92566002)(5003600100002)(106356001)(40100003)(19580395003)(76176999)(19617315012)(16236675004)(46102003)(19580405001)(106116001)(50986999)(99286002)(19300405004)(5008740100001)(8990500004)(105586002)(54356999)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442D7E4BE8EA1C29A9EAA5BF53A0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2015 23:02:23.9537 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <>
Subject: Re: [OAUTH-WG] Review comments to PoP document
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Oct 2015 23:02:41 -0000

Hi Kepeng,

Draft -05 addresses all your review comments as agreed below, other than adding the diagrams that you requested.  I’ll plan on working on those between now and Yokohama and submitting an updated draft with the diagrams when the submission period opens.

Thanks again for your useful review of this draft.  I added you to the acknowledgements.

                                                            Best wishes,
                                                            -- Mike

From: Kepeng Li []
Sent: Thursday, October 08, 2015 6:04 PM
To: Mike Jones;
Subject: Re: Review comments to PoP document

Hi Mike,

Thanks for your responses.

About the first paragraph in the introduction, I would prefer to make it different from the same one in the abstract.

I am fine with others.

Kind Regards

发件人: Mike Jones <<>>
日期: Friday, 9 October, 2015 1:58 am
至: Li Kepeng <<>>, "<>" <<>>
主题: RE: Review comments to PoP document

Thanks for the useful review, Kepeng.  Responses inline…

From: OAuth [] On Behalf Of Kepeng Li
Sent: Wednesday, October 07, 2015 7:30 AM
Subject: [OAUTH-WG] Review comments to PoP document

Hello all,

Please find my review comments to PoP document:<>

1、          Title:
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
[Kepeng] Should we add OAuth 2.0 in the title? Also, in the whole document, we use JWT, but in the title, we use “JWTs”. Is there a reason for this?

I wouldn’t suggest adding “OAuth 2.0” to the title, in part, because JWTs are used in contexts outside of OAuth.  As for why JWTs is plural here, the title is saying that PoP keys can be communicated in JSON Web Tokens.  If it were singular, it would sound like you could only use PoP keys in a single JWT, which isn’t right.

2、          Abstract:
1) This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter.
[Kepeng] Add reference to JWT.

I’ve been told when editing other drafts to remove references that I’d placed in abstracts, since IETF abstracts don’t include references.

2) This property is also sometimes described as the presenter being a holder-of-key.
[Kepeng] I am not sure what is “this property”. Do you mean “the key”? If yes, just use the key. And change the sentence to something like: This key is also sometimes described as a holder-of-key by the presenter.

I can change “This property” to “Being able to prove possession of a key”.

3. Introduction
1) The first paragraph is the same as the abstract. I suggest to reword it a little bit or remove it, to avoid the redundancy.

The rest of the introduction builds on the ideas introduced in the first two sentences (the content of the abstract). If they were to be removed, it would make the introduction confusing, as many people won’t start by reading the abstract, but will read the introduction independently.  (The introduction does add references, which cannot be present in the abstract.)  I’ll work with the other editors to see if they want to reword the first two sentences of the introduction and/or abstract to make them different from one another.

2) See [I-D.ietf-oauth-pop-architecture] for a further discussion of key confirmation.
[Kepeng] I suggest to mention a little bit more about the relationship between PoP architecture document and this document. In my understanding, in PoP architecture document, it mentions several mechanisms: confidentiality protection, key confirmation and sender constraint. This document introduces the key semantics for the key confirmation mechanism.

OK – we can say that [I-D.ietf-oauth-pop-architecture] describes key confirmation, among other conformation mechanisms, and that this specification defines how to communicate key confirmation key information in JWTs.

3) About the two use cases, it will be useful to use two diagrams or flows to indicate how it works. Maybe put these two flows in a separate section. Also it will be useful to mention which step is in scope, and which is out of scope, e.g. how to convey symmetric key from the issuer to the presenter.

Both are in scope, which is why they’re both described in the introduction.  I’ll work with the other editors on trying to create appropriate diagrams.

4. Section 3:
1) It will be useful to put a reference to "sub" (subject) claim, and "iss" (issuer) claim.


2) Note that if an application needs to represent multiple proof-of-
   possession keys in the same JWT, one way for it to achieve this is to
   use other claim names, in addition to "cnf", to hold the additional
   proof-of-possession key information.
[Kepeng] It is not clear, what are the other claim names?

Fair point.  We can say that those claim names would be defined by applications and could be registered in the JWT Claims Registry.

Kind Regards

                                                            Thanks again!
                                                            -- Mike