Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

Thomas Hardjono <hardjono@MIT.EDU> Fri, 04 April 2014 15:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E51041A0235 for <>; Fri, 4 Apr 2014 08:38:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kCYfCYiqyR6e for <>; Fri, 4 Apr 2014 08:38:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 788BC1A0232 for <>; Fri, 4 Apr 2014 08:38:23 -0700 (PDT)
X-AuditID: 1209190e-f79ee6d000000c40-26-533ed1eafac4
Received: from ( []) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 12.4A.03136.AE1DE335; Fri, 4 Apr 2014 11:38:18 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id s34FcHqN015504; Fri, 4 Apr 2014 11:38:18 -0400
Received: from OC11EXEDGE3.EXCHANGE.MIT.EDU ( []) by (8.13.8/8.12.4) with ESMTP id s34FcH6D024540; Fri, 4 Apr 2014 11:38:17 -0400
Received: from ( by OC11EXEDGE3.EXCHANGE.MIT.EDU ( with Microsoft SMTP Server (TLS) id; Fri, 4 Apr 2014 11:38:09 -0400
Received: from ([]) by ([]) with mapi id 14.03.0158.001; Fri, 4 Apr 2014 11:38:16 -0400
From: Thomas Hardjono <hardjono@MIT.EDU>
To: Bill Mills <>, OAuth WG <>
Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
Thread-Index: AQHPUBowsLOurSBGTkGypziV6taZwZsBlZ9B
Date: Fri, 04 Apr 2014 15:38:15 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJKsWRmVeSWpSXmKPExsUixCmqrPvqol2wwZ49BhYn375is3jfX+3A 5LFkyU8mjzurfjEGMEVx2aSk5mSWpRbp2yVwZdy49Z694Ixoxbr7l1gaGPcIdjFyckgImEh8 /rCEHcIWk7hwbz1bFyMXh5DAbCaJz7NPMkM4+xkl1j7aDZU5xijRsPcSE4SzjVHiSu8mqMwq RomJ1x+ygAxjE9CQOPd7L9hgEQEHiWXr97KB2MIC8RKLG3YzQsQTJH7MX8gEYRtJPJu/GKye RUBF4snTF0C7OTh4BYIkJjaJgYSFBGokfuy6A1bCKeAu0dg5lRXEZgS6+/upNWBjmAXEJW49 mc8E8Y+gxKLZe5hhfvu36yEbhK0o8eLiQmaIeh2JBbs/sUHY2hLLFr4Gi/MC9Z6c+YRlAqPE LCRjZyFpmYWkZRaSlgWMLKsYZVNyq3RzEzNzilOTdYuTE/PyUot0jfVyM0v0UlNKNzGCY1CS bwfj14NKhxgFOBiVeHg7dtgFC7EmlhVX5h5ilORgUhLlvboKKMSXlJ9SmZFYnBFfVJqTWnyI UYKDWUmEt24CUI43JbGyKrUoHyYlzcGiJM771toqWEggPbEkNTs1tSC1CCYrw8GhJMFrBkw1 QoJFqempFWmZOSUIaSYOTpDhPEDDfUBqeIsLEnOLM9Mh8qcYFaXEeT9fAEoIgCQySvPgemEp 8hWjONArwrwqIO08wPQK1/0KaDAT0OCGMLDBJYkIKakGxhgbWcMlL4NYN35gT/nA82vVjfeN mkxqLe5qT6s3zVn0UNGzaPVum91fVedt3xb52bj6Vz2fbUCsgHTCvMJv0RMazfk37Pnjziws Z5y46/uV0wwCD1kW1hvf8FbY/oupVidvVvKRsK/Ch1OvXfPekHrt6Z6TF2UbfgobC7S8jwrq z1pr11V4W4mlOCPRUIu5qDgRAAiod0lsAwAA
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Apr 2014 15:38:28 -0000


The PoP terminology in ancient IETF terminology coming from the IPsec WG (also home of IKE and IKEv2 protocols), 
and perhaps even before the IPsec WG.  So its a well-known term in the Security Area. I'd suggest we keep it.

Folks that work in the Mail & routing area use the term POP3 or RFC1939 in their context.

People in OASIS security-related Technical Committees use HOK (holder of key), such as the HOK Web Browser profile:


From: OAuth [] on behalf of Bill Mills []
Sent: Thursday, April 03, 2014 12:06 PM
To: Phil Hunt; Prateek Mishra; Hannes Tschofenig; Justin Richer; OAuth WG
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-pop-architecture-00.txt

I really *like* the name "proof of possession", but I think the acronym PoP is going to be confused with POP.  HOTK has the advantage of not being a homonym for aything else.  What about "Possession Proof"?


William J. Mills
"Paranoid" MUX Yahoo!

On Thursday, April 3, 2014 1:38 AM, "" <> wrote:

A new version of I-D, draft-hunt-oauth-pop-architecture-00.txt
has been successfully submitted by Hannes Tschofenig and posted to the
IETF repository.

Name:        draft-hunt-oauth-pop-architecture
Revision:    00
Title:        OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
Document date:    2014-04-03
Group:        Individual Submission
Pages:        21

  The OAuth 2.0 bearer token specification, as defined in RFC 6750,
  allows any party in possession of a bearer token (a "bearer") to get
  access to the associated resources (without demonstrating possession
  of a cryptographic key).  To prevent misuse, bearer tokens must to be
  protected from disclosure in transit and at rest.

  Some scenarios demand additional security protection whereby a client
  needs to demonstrate possession of cryptographic keying material when
  accessing a protected resource.  This document motivates the
  development of the OAuth 2.0 proof-of-possession security mechanism.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at

The IETF Secretariat