Re: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession

Mike Jones <> Wed, 25 November 2015 02:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 26E3F1ACD97 for <>; Tue, 24 Nov 2015 18:10:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id boQ-EiQPnlBV for <>; Tue, 24 Nov 2015 18:10:09 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E58751ACD8E for <>; Tue, 24 Nov 2015 18:10:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=W+iFFGITrLMPb7cAnsoLplb9OQlD3EbA9WxQevOW3KE=; b=PGsUXlVWJqK5PYk+iJIDoVE2jtDM7FOGgFZ5gutPHDXkuyDDXIx8NyJw+KsNnX4brj9FBSgEEJTvL0FvnFJMrCC7gAVwzujx+Y36j96bW/UmCybA1MyCKjnwZck0+ttRGbWeA4ao69z8VqeuomQmp3OToMhixcu7RkNzWlzKQxs=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.331.20; Wed, 25 Nov 2015 02:10:07 +0000
Received: from ([]) by ([]) with mapi id 15.01.0331.023; Wed, 25 Nov 2015 02:10:06 +0000
From: Mike Jones <>
To: Kathleen Moriarty <>, "" <>
Thread-Topic: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession
Thread-Index: AQHRJt++kWDp0FqlfEmPEzc+Ih7voJ6r6UxQ
Date: Wed, 25 Nov 2015 02:10:06 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: [2001:4898:80e8:a::650]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:+FBVu/2SrjN3M1Yj4aW6pxYjsCaPsuNj4XV12medTafG8k4zmPDU6rW2yAZjcI3KcKKBcZR7R4l74no08WdHMtjWXVaXoxxjI6E650MIdN5lkE65U8987YLLfRSicjxWyJD/F3MSzTU1M+w4iQ704Q==; 24:OU8EfjFk4noVkVgaWiBD+Tl0hhnkQLa3xkPAMn/ig+xjAHvw48AHzqCtkPw9b87HwfnDlgoC6PQFTozmn6sr9Bd8eCqeBEVm7iKs7b1Dm0c=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(8121501046)(5005006)(520078)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0771670921
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(13464003)(377454003)(43784003)(6116002)(5002640100001)(102836003)(230783001)(586003)(87936001)(99286002)(122556002)(105586002)(74316001)(5003600100002)(50986999)(40100003)(106116001)(76176999)(106356001)(5007970100001)(86612001)(54356999)(86362001)(8990500004)(33656002)(10090500001)(10400500002)(5004730100002)(10290500002)(5005710100001)(189998001)(77096005)(5001770100001)(2501003)(5001920100001)(5001960100002)(2900100001)(81156007)(5008740100001)(107886002)(15975445007)(76576001)(92566002)(97736004)(19580405001)(101416001)(19580395003)(2950100001)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Nov 2015 02:10:06.8406 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <>
Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2015 02:10:11 -0000

Thanks for your review comments, Kathleen.  Responses are inline below...

> -----Original Message-----
> From: OAuth [] On Behalf Of Kathleen
> Moriarty
> Sent: Tuesday, November 24, 2015 9:44 AM
> To:
> Subject: [OAUTH-WG] AD review of draft-ietf-oauth-proof-of-possession
> Hi,
> Thank you all for your work on this draft!  I just have a few questions:
> 1. Security considerations section says:
> "All of the normal security issues, especially in relationship to
>    comparing URIs and dealing with unrecognized values, that are
>    discussed in JWT [JWT] also apply here."
> I find that to be odd phrasing that would likely be picked up in subsequent
> reviews.  Please remove the word "normal" so that all of the security issues
> discusses in JWT are included.  Are there other 'normal considerations in
> addition to those in JWT that need to be listed?  The phrasing reads as if that
> may the case and would be better to include them all or pointers or change
> the phrasing.

You're right.  I removed this awkward wording.

> 2. Also in the security considerations section,
>    "A recipient may not understand the newly introduced "cnf" claim and
>    may consequently treat it as a bearer token."
> What is the proper handling requirement when an unknown claim is
> present?  Section 3.1 says:
>   "When a recipient receives a "cnf" claim with a
>    member that it does not understand, it MUST ignore that member."
> Is this why it is treated as a bearer token rather than being rejected?  Is this
> really the action you want to see with cnf?  Why isn't there an error and a
> resend as a bearer token so that parties understand (or have an opportunity
> to understand) that there were issues?
> Then the following text in the security section says:
>   "While this is a
>    legitimate concern, it is outside the scope of this specification,
>    since demonstration the possession of the key associated with the
>    "cnf" claim is not covered by this specification. For more details,
> How is this outside of the scope of this draft?  cnf is defined in this draft, so
> handling should be covered in this draft.  A pointer to the POP architecture
> draft is not helpful as it is not defined there, it's covered int his draft.  Should
> this text just be removed and replaced with more explicit handling
> information int he body of this draft?

Good catch.  JWT [RFC 7519] Section 4 says that claims that are not understood must be ignored unless otherwise specified by the application.  This allows new claims to be dynamically added without breaking existing applications.  For the same reason, I have incorporated this language about understanding claims from 7519, but having it be about understanding confirmation members.  Ultimately, what features must be implemented are always up to the application, just as with JWT claims.

> Thanks!
> --
> Best regards,
> Kathleen
> _______________________________________________
> OAuth mailing list

				Thanks again,
				-- Mike