Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Mike Jones <Michael.Jones@microsoft.com> Sun, 13 April 2014 03:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF2C1A000B for <oauth@ietfa.amsl.com>; Sat, 12 Apr 2014 20:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvMEvtd3Exr2 for <oauth@ietfa.amsl.com>; Sat, 12 Apr 2014 20:33:25 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id B54791A000F for <oauth@ietf.org>; Sat, 12 Apr 2014 20:33:24 -0700 (PDT)
Received: from BL2PR03CA018.namprd03.prod.outlook.com (10.141.66.26) by BLUPR03MB017.namprd03.prod.outlook.com (10.255.208.39) with Microsoft SMTP Server (TLS) id 15.0.921.12; Sun, 13 Apr 2014 03:33:16 +0000
Received: from BL2FFO11FD010.protection.gbl (2a01:111:f400:7c09::125) by BL2PR03CA018.outlook.office365.com (2a01:111:e400:c1b::26) with Microsoft SMTP Server (TLS) id 15.0.918.8 via Frontend Transport; Sun, 13 Apr 2014 03:33:16 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD010.mail.protection.outlook.com (10.173.161.16) with Microsoft SMTP Server (TLS) id 15.0.918.6 via Frontend Transport; Sun, 13 Apr 2014 03:33:15 +0000
Received: from TK5EX14MBXC286.redmond.corp.microsoft.com ([169.254.1.232]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0174.002; Sun, 13 Apr 2014 03:32:53 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
Thread-Topic: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
Thread-Index: Ac9OJMm2QQWqL+riTTewCyU8ts655AIkJjcAAATakwA=
Date: Sun, 13 Apr 2014 03:32:52 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <CA+wnMn_LBojNz+LCTTQN62P_U7Rag0rot715c7XCOcXAQJmEhA@mail.gmail.com>
In-Reply-To: <CA+wnMn_LBojNz+LCTTQN62P_U7Rag0rot715c7XCOcXAQJmEhA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.37]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A155FFBTK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(189002)(199002)(24454002)(77982001)(71186001)(81342001)(15975445006)(2009001)(86612001)(80976001)(19300405004)(4396001)(54356999)(92566001)(76176999)(76482001)(81542001)(16236675002)(83072002)(6806004)(19580395003)(86362001)(46102001)(15202345003)(66066001)(83322001)(19580405001)(44976005)(2656002)(80022001)(84676001)(74502001)(87936001)(55846006)(79102001)(92726001)(20776003)(97736001)(33656001)(512954002)(85852003)(84326002)(85806002)(74662001)(50986999)(31966008)(99396002)(6606295002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB017; H:mail.microsoft.com; FPR:CC40D19E.9E3A46D9.B3D3BD49.4CF0F471.20311; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 018093A9B5
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Vrkcm_qCbc2uj1ncTzsfie0E9UM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 03:33:27 -0000

Is having multiple confirmation keys a common case?  I'd rather we "make simple things simple" than build the most general solution possible.  If an application really needs multiple confirmation keys, it can always defined a "jwks" element and the handling rules for it, and go for it...

                                                            -- Mike

From: Chuck Mortimore [mailto:cmortimore@salesforce.com]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Good start here Mike!

One quick question - I see the "cnf" member is defined as a JWK.  Why not a JWK Set?    I could see use-cases for binding in multiple keys.

-cmort



On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
I've written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig.  Quoting from the abstract:

This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key.

This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things.

The specification is available at:

*        http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00

An HTML formatted version is available at:

*        http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html

                                                            -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1210 and as @selfissued.


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth