IETF Logo Mail Archive

Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

John Bradley <ve7jtb@ve7jtb.com> Sun, 13 April 2014 15:16 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCAC01A02C6 for <oauth@ietfa.amsl.com>; Sun, 13 Apr 2014 08:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzOz9Rcjf5O3 for <oauth@ietfa.amsl.com>; Sun, 13 Apr 2014 08:16:47 -0700 (PDT)
Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6FED31A01C6 for <oauth@ietf.org>; Sun, 13 Apr 2014 08:16:47 -0700 (PDT)
Received: by mail-qa0-f44.google.com with SMTP id hw13so7245854qab.31 for <oauth@ietf.org>; Sun, 13 Apr 2014 08:16:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=VWcjj/+fF81xFycqlD0QOCC0D70HQ0EABLMqB2IgX80=; b=e+GIuKmE/SDYVffPHQb7HFia3YOWNgLiJGhtMo5DogEztpDopp75N8zQN62AA/5aYw Xd1mlmeRn4MK3l7m6n1oLcsEGEiXlJ9tF24GKUNrsC9PrP+NBBCAMI4ri66/ugb7RjWW C/MqADEwbgHt8ovrQvx4+oauEXpAc8wvKVASkjOQXZeBJPlKFAe88ISg4e3/Hivs8cy3 g36WuFF6xB/1Yo44j01VYS3drUaKDlF59BypUY24m1nNLZexeaHur/oX3Q3TMV8SGyBu mmxSwyn1BMF/vGqOInwXl9EZzGYrx9RaiTw1zgXa3FlIx0R+p1xesGUgzpWy2ar/ykGP YKIQ==
X-Gm-Message-State: ALoCoQke3+6l0SkdmsX4wLKK9TkgSPWxnJoINlXG1Tam27XY65c2NNxWG0VKyX4dOhFYEnMq9zN9
X-Received: by 10.224.13.7 with SMTP id z7mr14809851qaz.4.1397402204941; Sun, 13 Apr 2014 08:16:44 -0700 (PDT)
Received: from [192.168.1.216] ([190.22.119.198]) by mx.google.com with ESMTPSA id g64sm16902822qgf.22.2014.04.13.08.16.36 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 13 Apr 2014 08:16:44 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_437D519A-6C52-4754-BEFD-3967911A4B13"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+wnMn-Dto7ySgNgMu5rkqyzfok1BWdS7WxB18ep+Uv0sFRsuw@mail.gmail.com>
Date: Sun, 13 Apr 2014 12:16:20 -0300
Message-Id: <1AAA2914-E5A6-448D-816B-8F4F657DD120@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B16804296739439A132083@TK5EX14MBXC286.redmond.corp.microsoft.com> <CA+wnMn_LBojNz+LCTTQN62P_U7Rag0rot715c7XCOcXAQJmEhA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439A155FFB@TK5EX14MBXC286.redmond.corp.microsoft.com> <CA+wnMn-Dto7ySgNgMu5rkqyzfok1BWdS7WxB18ep+Uv0sFRsuw@mail.gmail.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Wv7I8Y2NNPnQ6GxDzR7KH5dwmxU
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 15:16:52 -0000

The client should request a second token for the server rather than try and overload both into the same token.

Or based on the first token the server should use that to exchange it for one that has it's proof key.

In general you want the requester to be able to prove that it has the proof key, or the private key used to decrypt the proof key to get the full benefit.

I can see how having multiple entities able to present the token along with multiple audiences in the token may seem like a simplification for issuing tokens, but I would rather keep the basic model simple and go hop by hop.   I understand that may require a more REST STS like capability than exists in the current token endpoint.


On Apr 13, 2014, at 12:39 AM, Chuck Mortimore <cmortimore@salesforce.com> wrote:

> Not sure it it's common yet.   The scenario I'm exploring is a client that is paired with a server.     For example, a mobile app that's an OpenID Connect client that is sharing it's ID Token with the server.   Both the client and server want to be able to prove possession without sharing a private key.   
> 
> -cmort 
> 
> 
> On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> Is having multiple confirmation keys a common case?  I’d rather we “make simple things simple” than build the most general solution possible.  If an application really needs multiple confirmation keys, it can always defined a “jwks” element and the handling rules for it, and go for it…
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> From: Chuck Mortimore [mailto:cmortimore@salesforce.com] 
> Sent: Saturday, April 12, 2014 6:12 PM
> To: Mike Jones
> 
> 
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
> 
>  
> 
> Good start here Mike!
> 
>  
> 
> One quick question - I see the "cnf" member is defined as a JWK.  Why not a JWK Set?    I could see use-cases for binding in multiple keys.
> 
>  
> 
> -cmort
> 
>  
> 
>  
> 
>  
> 
> On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> I’ve written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig.  Quoting from the abstract:
> 
>  
> 
> This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key.
> 
>  
> 
> This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific.  Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things.
> 
>  
> 
> The specification is available at:
> 
> ·        http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00
> 
>  
> 
> An HTML formatted version is available at:
> 
> ·        http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html
> 
>  
> 
>                                                             -- Mike
> 
>  
> 
> P.S.  This note was also posted at http://self-issued.info/?p=1210 and as @selfissued.
> 
>  
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
>  
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email