Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02
John Bradley <ve7jtb@ve7jtb.com> Wed, 25 March 2015 15:48 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59CC1A884E for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2015 08:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXjmdPUwQkr9 for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2015 08:48:08 -0700 (PDT)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFE001A884D for <oauth@ietf.org>; Wed, 25 Mar 2015 08:48:07 -0700 (PDT)
Received: by wibbg6 with SMTP id bg6so29851542wib.0 for <oauth@ietf.org>; Wed, 25 Mar 2015 08:48:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=hdDuO2cjNCAVHxbmGqbJ4u0lyB/DP/pjZb7sSyDHcLg=; b=RFLDWTRs42JSs8/e7GkxTDg1CpFJJJHhN3h6qeOV5SSMx+a5xCYi3ZhRrcmTMzskKV FEdFs8pHeNzGOI/EcbOewFF7eLsesIE5dIG/5jxf0q5hZEMhywu9YMFDg5t4g0ADUWlu IIPpLkzAnPW444LeK1bvGbtl1YYm0DUnh/Br2bI4Hk2m3mhzwd4bRvfaKWyoLoeolLxJ mFgUqBRW/AeTsgJPywdjcv+b2JpwN7LubHLDb6KsFFvkjkJQw+sNw5E1bJNAWk5Ya3eD p4tIzFBFm7imYqJt+DHcgBKOw/lpJAGztKZvcPm7gIZ/iJw5/1a4M5uBOIqLAp1AhT0V W7Cw==
X-Gm-Message-State: ALoCoQl9MuHdce9NC+CEPNb3QQq7SBjxsmVvBUwGSaKLDZSou60QrTpRvkZnDRAz4mVLju+/KUxQ
X-Received: by 10.194.19.166 with SMTP id g6mr19542905wje.150.1427298486195; Wed, 25 Mar 2015 08:48:06 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:144:dad:f918:c78:f070? ([2001:67c:370:144:dad:f918:c78:f070]) by mx.google.com with ESMTPSA id wc10sm21190690wic.21.2015.03.25.08.48.03 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 25 Mar 2015 08:48:04 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_04C3EC02-57E1-46DF-ADD6-F153029B97D8"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+k3eCSL+O8u9+oUU+SLO9NqQnjqsLDbdoOPQPDsntC7xHuJ0w@mail.gmail.com>
Date: Wed, 25 Mar 2015 10:48:01 -0500
Message-Id: <F1B09174-3BF6-425C-A7A0-8A39A25CFEEB@ve7jtb.com>
References: <CA+k3eCSydCCrsrAdmm=5z-bQLpQZkPdJxYK3xWvfttWSbB9=uA@mail.gmail.com> <CA+k3eCRJWnEGVX94CNWBoH8ciXzxGGfSTFTbv9YqX2sard0y-g@mail.gmail.com> <BDAC3869-5BFA-48A8-BC67-C0B18D337E15@mit.edu> <CA+k3eCSL+O8u9+oUU+SLO9NqQnjqsLDbdoOPQPDsntC7xHuJ0w@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/KqK03mftja34ZLo-xWU23jRGl-c>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 15:48:10 -0000
Sure no problem:) > On Mar 25, 2015, at 10:42 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: > > Yeah, sorry, I misspoke (this stuff isn't easy). The presenter doesn't confirm. The presenter presents the token along with something that proves possession, which allows the recipient to confirm. My original grip with both texts is that they seem to suggests that the presenter makes the declaration in the token, which isn't true except for the special case of issuer=presenter. In trying to clarify that, I made a different mistake. I'm sure the draft authors will have no problem stating it clearly, concisely and accurately though :) > > On Wed, Mar 25, 2015 at 10:34 AM, Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote: > Agree that this language isn’t clear. The presenter doesn’t confirm the claim either, the presenter never even looks for it (unless the presenter is the issuer, which is a special and hopefully rare case). That’s why the key is delivered to the presenter in parallel with the token. It’s the RS that confirms the claim (in OAuth PoP), or whoever’s processing the key-protected call downstream (in something that isn’t OAuth). > > — Justin > >> On Mar 25, 2015, at 9:37 AM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >> >> There's similar wording in sec 3.3 <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.3> too that seems to suggest that the presenter is the one that makes the claim. >> >> I think the presenter confirms the claim when it presents. It's the issuer that makes/asserts/declares the claim. No? >> >> "In >> this case, the presenter of a JWT declares that it possesses a >> particular key and that the recipient can cryptographically confirm >> proof-of-possession of the key by the presenter by including a "cnf" >> (confirmation) claim in the JWT whose value is a JSON object, with >> the JSON object containing a "kid" (key ID) member identifying the >> key." >> >> On Sun, Mar 22, 2015 at 8:42 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >> My brain hurt trying to parse the first sentence/paragraph from section 3 <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>: >> "The presenter of a JWT declares that it possesses a particular key >> and that the recipient can cryptographically confirm proof-of- >> possession of the key by the presenter by including a "cnf" >> (confirmation) claim in the JWT whose value is a JSON object, with >> the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID) >> member identifying the key." >> The issuer includes the "cnf" claim and makes the declaration not the presenter. Sure, the presenter may be the issuer but that's a special case. >> >> Isn't it more accurate to say that it is the issuer who declares that the presenter can confirm itself by some cryptographic proof-of-possession of the key identified by the "cnf" claim? Or something more like that... >> >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] trouble reading the start of sec 3 pro… Brian Campbell
- Re: [OAUTH-WG] trouble reading the start of sec 3… Brian Campbell
- Re: [OAUTH-WG] trouble reading the start of sec 3… Nat Sakimura
- Re: [OAUTH-WG] trouble reading the start of sec 3… Justin Richer
- Re: [OAUTH-WG] trouble reading the start of sec 3… Brian Campbell
- Re: [OAUTH-WG] trouble reading the start of sec 3… John Bradley
- Re: [OAUTH-WG] trouble reading the start of sec 3… Mike Jones