[OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epop-00 – Enveloped Proof of Possession
Joe DeCock <joe@duendesoftware.com> Tue, 19 May 2026 17:08 UTC
Return-Path: <joe@duendesoftware.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C9E41F0E6726 for <oauth@mail2.ietf.org>; Tue, 19 May 2026 10:08:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779210487; bh=+/pz5TePYw4EKrUPwBNFLONm4PdeK+i+su5Du49wPHo=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=F7Fj87y8/8B1pheHkHnWFn3Z2dBZzcNbe4cR3jFS0A3Zy80UcGz8U+bsK1FWzILKW Z36OJabCBLfRm2585PMpTTtxLtHpyugO4LFkk6UUvRtkw2gtj7zuBUbfD6r3wPuMVG 1aPDZY1gjf1RFIS0T7Lve3Eo+jRfKal+8CnyHf8g=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=duendesoftware.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmiSYnuKImgQ for <oauth@mail2.ietf.org>; Tue, 19 May 2026 10:08:07 -0700 (PDT)
Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1912BF0E671F for <oauth@ietf.org>; Tue, 19 May 2026 10:08:07 -0700 (PDT)
Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-bcc9fdc959cso755019566b.2 for <oauth@ietf.org>; Tue, 19 May 2026 10:08:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779210480; cv=none; d=google.com; s=arc-20240605; b=MfoMz/p4Ri41UMWwOReFT2/uvEine80QK4Amgv0Alk0vtq3h4O+KcMueFmVtJVff16 fqPrcQqKMSsMwa1V9KB2sDnKKmkbjUY6H7GsR8FtemnA8F3HUMaGwLRCQc5sgDsmcQ3Z yFSEp/hR+CU5R/OliFuWXl2Vm19BQLMwu3qDbV3Zzi/PJMf492CPBUYH7DAO7yVaIL5r yYRregIVhiWtINIcmvFXhR9USNN2b0GTQVOWehB6DekMGaweR7kExIu+tAM/jFEJeMN4 uVN/YfyHauqpBsh/Wk18fyuatXo4va6Lcj9jW2bH5loRd1kAyLGRSYTsPxln9TDhZsV7 7O9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=+/pz5TePYw4EKrUPwBNFLONm4PdeK+i+su5Du49wPHo=; fh=45KQ9ThLXsEQCps9+2rGaSkNZxOUQ6mRX1a2sIwVvPY=; b=efVyFSGB1Tls2rPGVBkTJoQrAcFdZXvxNLuftw3/ZWT5cdz32Wk6Mw3CtoFbwzH9hr kaRL0ns3HfNZQ/rkmbooD41io2paQyoL5IpnXrVCdpHXfSyIWbWMZlIzbX2tFZVXqXtp L7uQQNbAMW1yfNz/0hFF1F8NY9CF5lvW/xehaxFBi3EWwaekmnjA6YkwXlC8N3+Ln9/R ezGi8evLIdTDDWO47P6Q/uag7sDx5ogZhD9WMEWFHHqdYO4soPZLCk5XF2Uo9kzM0KL1 huom/wExosnAHGiE4enLPVr8RPULwAwuHEr0Pi//X/EUiFaiDEt4EYSqm52wUpuDdj4Y VjBg==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=duendesoftware.com; s=google; t=1779210480; x=1779815280; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+/pz5TePYw4EKrUPwBNFLONm4PdeK+i+su5Du49wPHo=; b=2E2q1027BldkMSqU7jTNAhEhiD5YbcvRZrmHHsehYKEBknnSDRAD1wPrnV1IBte711 GB4HDC3oLwkCIwPfYzOv63WmiUg/ww9y5uYlblBT0uhGHcs1Lyxi36tmf8RYEpePkiwi Qw4faYz5wdtwO/iq+mlUl7gJP3T6DQNWN7mUFoVhDaHY8Vxxk3eQYC6xXuGMv/xQRu+W fE6ipFHJYcc7o2zWm2kG6SwLgDF+Y+IlOAm6r6alrd5O5q+btKZWsNsaXUrDr7QBTg+s 6kFqfEVBUWdO0cNYjfi38lYdj0MkMvdc271x9dTcU7AKux3XVxPGnHctV3xrC/g1CLBF F22Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779210480; x=1779815280; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+/pz5TePYw4EKrUPwBNFLONm4PdeK+i+su5Du49wPHo=; b=gjky2f6wfoS1q2B+lJtAa3dPa1vqNhppuSk/pOz2fVb+0liYnnzUVaXujV3i32nLB9 aTwlnDtT6XchzCah85r86ztHGPZ8RI2jAELvdlJZKXqabjXTKtgMSSriReqgxe3uTxuY TbRBhvPst1Vb5ny9B43dnIKOnRsYsYCBDewYhgepy+Xn+5XqgBQl4bYWmextvXabB35N 1F/BgxYVo4uEqGCGBYX9JmjiKuwUtyb5ieHvY0XEZFnutg6zRWpmYP9XZDBGEuyiNeWS dndWyTNItRlelFGOCzCZpiyvlRTRz//ZRkElF90NDeBvVqwVoUqsRqheytepv0obT+Jx OuQQ==
X-Gm-Message-State: AOJu0YyrDIS1S7BD2X6TMxmGbRzl7r7ZoqkPW2Tp7KPHxxv94j9EIaV8 kaQjhZHmSGePEiPBU4+A6Gt1HG9l1tEmYJvsw2iRBgrZXpDryqXeI21UuXRdQjHQhD/8PO5EIpX A3lKdi04vZKeByyav2KC3nLHfb3FPgWgzUKiM6pqw3Z8rqZ0UGQYw9A==
X-Gm-Gg: Acq92OEUn4jsF6fVZEHLK+PSiUqXZUN1v66E9/AX+ppb2ILrA7hKxXOZbGRG+eKFVr5 RFp8KYOQKuSsTvIC6S2KST3x2X/kG1d65nRqybaa3JjS+8GNfeDe9VthVDp90sUJzJAJHt0qMHX Ex80AqWyh9fo9p28cYkaqmorc4rS6lhjtzN+y6Hda6tXXUUfNJ3d9jPjSWwe8uf85JBCxB6Jgx7 8T0I8OBQAXKvuArKJdp2DdD1Mw+HI/t6pgr8FBErslDpZuuvOJi2BTn7mQIE4eE1t+OM+x5XBWa Firq6BP/Yv9Y4pbpzg==
X-Received: by 2002:a17:906:418c:10b0:bd5:2e64:afba with SMTP id a640c23a62f3a-bd52e64b466mr817947366b.29.1779210479569; Tue, 19 May 2026 10:07:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAHcgzD+mWrdoyB13Qj0orqq+qWQ8Pn-Ss=KJVp4-GtqN4dMHAA@mail.gmail.com> <CAA1mknF2pkuW7C8jmFjTOt70fiQU=gOM19bPgE4vV1rCzvMeYA@mail.gmail.com>
In-Reply-To: <CAA1mknF2pkuW7C8jmFjTOt70fiQU=gOM19bPgE4vV1rCzvMeYA@mail.gmail.com>
From: Joe DeCock <joe@duendesoftware.com>
Date: Tue, 19 May 2026 12:07:48 -0500
X-Gm-Features: AVHnY4Id3GW5C4iWqj817CsxPZPYWdAOKBDnKq5j1dlCoYiNCUUMvI519DLNejU
Message-ID: <CAA1mknFuh=NCe0rfwCMq1gQKS6u=1uU9Fb81pXjyQK9TFWx-Bw@mail.gmail.com>
To: Ashwin Ambekar <ambekar@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000009d982d06522eb8fe"
Message-ID-Hash: 72ZRA6KREEMYQLGWNZ2BCDL75FO6GZOB
X-Message-ID-Hash: 72ZRA6KREEMYQLGWNZ2BCDL75FO6GZOB
X-MailFrom: joe@duendesoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epop-00 – Enveloped Proof of Possession
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eUxbrVr7q1ebdlW3aB5V5nJrIyk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I would also appreciate if you could talk more about the design of the cnonce. It seems like it is meant to replace the server nonce in DPoP, but I don't understand how it can accomplish that. As I understand it, the purpose of DPoP's server nonce is to prevent pre-generation attacks. It can do that because the value of the server nonce is unpredictable. In contrast, EPOP's cnonce is entirely deterministic. It seems like cnonce isn't really meant to prevent pre-generation attacks. But if that's the case, could you simplify the protocol by removing it entirely, since you already have iat for time-bounding the token, and jti for replay detection? Thanks, Joe On Mon, May 18, 2026 at 6:02 PM Joe DeCock <joe@duendesoftware.com> wrote: > Hi Ashwin, > > I think this is an interesting idea. Applying sender constraints without > being tied to http is clearly a real problem. > > I'd be curious to hear more from you about the tradeoffs you considered > when designing EPOP and why you made the decisions you did. For example, my > intuition is that the enveloped approach results in larger data structures > compared to a detached signature. Did you consider a design that keeps the > detached signatures of DPoP? > > Thanks for your work on this draft. > > Joe DeCock > > > On Sat, May 16, 2026 at 9:14 PM Ashwin Ambekar <ambekar@gmail.com> wrote: > >> Hi all, >> >> I've submitted an initial Internet-Draft for a new OAuth 2.0 token >> profile called Enveloped Proof of Possession (EPOP): >> >> https://datatracker.ietf.org/doc/draft-ambekar-oauth-epop/ >> >> ## What EPOP introduces >> >> EPOP defines a single unified token type that carries both the credential >> (authorization code, access token, or refresh token) and its cryptographic >> proof of possession as an inseparable envelope. This eliminates the split >> between token issuance and proof construction that exists in current >> mechanisms, and brings the following properties: >> >> 1. **Unified credential + proof token** — The credential and its PoP >> proof are bound together at issuance into a single JWT envelope, >> cryptographically tied to the client's key pair. Possession of the token >> alone is insufficient to use it. >> >> 2. **Transport-agnostic proof of possession** — EPOP proof validation >> does not depend on HTTP request parameters, making it applicable uniformly >> across HTTP and non-HTTP transports: MQTT, Kafka, gRPC, SASL, and emerging >> agentic protocols such as MCP. >> >> 3. **Extended PoP support for RFC 7628 (SASL/OAuth)** — EPOP provides a >> concrete proof-of-possession mechanism for SASL-based OAuth flows defined >> in RFC 7628, which currently lacks a sender-constraining profile. >> >> 4. **Client-derived nonce (cnonce)** — EPOP introduces an offline-derived >> client nonce computed deterministically from the client's private key and >> token material. This eliminates the server-issued nonce round-trip required >> by existing mechanisms, enabling stateless proof validation at the resource >> server — critical for high-throughput and constrained deployments. >> >> The draft also covers atomic key rotation, discovery metadata extensions, >> and security considerations for replay prevention and token substitution >> across all supported transports. >> >> ## Seeking feedback on >> >> - Whether the unified envelope model introduces any token substitution or >> cross-credential attack surface not addressed in Section 10. >> - Soundness of the cnonce derivation and replay window model. >> - Operator and implementer perspectives, particularly for non-HTTP >> deployments. >> - Any overlap with active WG drafts I should reference or reconcile >> against. >> >> Source and issue tracker: https://github.com/asambeka/epop >> >> All review, critique, and collaboration interest welcome. >> >> Thanks, >> Ashwin Ambekar >> eBay >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> >
- [OAUTH-WG] New Draft: draft-ambekar-oauth-epop-00… Ashwin Ambekar
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Gabriel Corona
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Ashwin Ambekar
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Joe DeCock
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Joe DeCock
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Ashwin Ambekar
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Ashwin Ambekar
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Ashwin Ambekar
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Neil Madden
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Ashwin Ambekar
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Neil Madden
- [OAUTH-WG] Re: New Draft: draft-ambekar-oauth-epo… Denis