Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?

Neil Madden <> Wed, 09 September 2020 06:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEB3A3A0FD1 for <>; Tue, 8 Sep 2020 23:43:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uMJvmjUq303o for <>; Tue, 8 Sep 2020 23:43:03 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 285853A0FCD for <>; Tue, 8 Sep 2020 23:43:02 -0700 (PDT)
Received: by with SMTP id a65so1125592wme.5 for <>; Tue, 08 Sep 2020 23:43:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:mime-version:subject:from:in-reply-to:cc :date:message-id:references:to; bh=bX9LmfqT8cqE7cBMV6z5PO+2SIPpZ7BdHCn7MGyKwpE=; b=R+otf55uqlZxxVoNgIZNEwp5jF5ipxkxH8r6JdtmSfhEi6u7o4wxXvxftrIZMlMvH4 S2m+i+Y1NRAD3+fowWjQg7Iau4Gt6GpZy3WnFgOyFDsylJdtVMB9o++UdF5A0/SPWUDa CHzGa/jFqO2klYhIGxBOZPUE9uFj+Dc/JHa2Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:cc:date:message-id:references:to; bh=bX9LmfqT8cqE7cBMV6z5PO+2SIPpZ7BdHCn7MGyKwpE=; b=UtPnHAktFr9JEQfRR5l/z/xNs2bMgzlB0kvdegbXOJFXO2qX2A4MkO10LGVQrfhz5X eQNeM0zrP1CJs//N7eD4YK7EBZbD2o+0qVus1EhaWXkOKRpai4N5IiHKcSpBZs/LEIz/ WpFR2ZkSLuX4b372ss3Dw2/wlF7TMoCPjceG3HRsKYmRvPdi1MKJ36vqhvayxVkA2Beg aRyZT0yJgupGNHBH44hy9IF7L1zv9ttgYdzY/lYI6e/FPpSzMcR2JGwo9A2ZEjvyvPro wPw0GdxEoYacbBlCNqER33VBqu6D/wdtqVerBJ89K/TRdUQWdi4XnSXNAjTR2VcNKOPm dONw==
X-Gm-Message-State: AOAM530x5UDoXnbgEaoGp7xfZKeoggXmq/tRGnEbwJY/L62s7gwm6eQY B8WxHEkMAAjLVeh/1zUUW73po08ll708hmhY++sxCLrwfym1JuuC5aBU57uldQoRxf1Beuxf0vk ZWw1g3j1bBifXXTPNlcKWnl9oZURLcGv4jovzuaEirSr0B+c1gvslFfhZYN0mI0q9rg==
X-Google-Smtp-Source: ABdhPJxgiGUXr47Ciu5NG0SoB86VogaEYrIw+hjGZRWfv4pUXvczIQw/eRR+LaTrzXUSUILJDqcNqw==
X-Received: by 2002:a1c:9a48:: with SMTP id c69mr1907285wme.43.1599633780930; Tue, 08 Sep 2020 23:43:00 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id h76sm2516394wme.10.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 08 Sep 2020 23:43:00 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-EC30A4EE-E6F5-4DFB-895A-DB089CE7E2AC
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Neil Madden <>
In-Reply-To: <>
Cc:, oauth <>
Date: Wed, 9 Sep 2020 07:42:59 +0100
Message-Id: <>
References: <>
To: Brian Campbell <>
X-Mailer: iPhone Mail (17G80)
Archived-At: <>
Subject: Re: [OAUTH-WG] Omit "jwk" (or use "kid" instead) in DPoP Proof?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Sep 2020 06:43:06 -0000

I disagree with this rationale, I’m afraid. I don’t think the simplicity gain for the client is really very great and I think we will regret this decision.

Most importantly, including the JWK directly in the proof token increases the likelihood that somebody will just validate the signature using that key and fail to check that it matches the hash in the AT. We’ve already seen at least one vendor make exactly this kind of mistake in the past [1]. Letting the proof tell you the key to use to verify the proof is another example of Moxie’s Cryptographic Doom Principle [2] - trusting the message before you’ve authenticated it. 

Moving the jwk from the DPoP proof to the AT/introspection response reduces the chances of these kind of mistakes. 

As a bonus it also has efficiency gains because the size of the DPoP proof is reduced - potentially by a lot for RSA keys. Although the JWK still has to be communicated to the RS, this can be more efficient because:
- For token introspection, in many deployments the introspection request will be within a datacenter and so over a high-bandwidth low-latency network. This is usually not the case for the DPoP proof, which may be over a poor mobile connection. 
- For embedded directly in a JWT access token, the JWK will be in the claims rather than the header and so can at least be compressed. (Albeit not by much, because public keys don’t compress well, but the rest of the AT will and that can compensate a little for the extra bulk). 


— Neil

>> On 8 Sep 2020, at 23:46, Brian Campbell <> wrote:
> Indeed there are cases, as you point out, where the key might be knowable to the server via some other means, which makes the "jwk" header in the DPoP proof not strictly necessary. And while omitting the key in such cases would reduce the size of some messages (the DPoP proof anyway), such optionality would add complexity to implementations and deployments (and that kind of complexity can and often does degrade interoperability and even security). How, for example, would a client know if the access token includes the public key and thus whether or not to include the key with the proof? Sure the access token could always include the key (rather than thumbprint) but then there's the question of how to get the key to the AS. As well as the stated desire to utilize the same DPoP Proof structure for requests to both the AS and RS. There will be some clients that have public key(s) registered and some that won't (maybe a lot that won't as a driving use case for many for this is key binding access and refresh tokens for public clients). The protocol defined by the draft needs to account for both. 
> Ultimately there are a number of different ways the necessary data could flow through the various protocol elements. And there are some tradeoffs with different approaches and/or trying to accommodate variations under one approach. The approach the draft has taken thus far is to prioritize consistency and simplicity as much as is possible. And that ethos has led to how it's currently defined, which is to always include the key in the proof and bind to a hash of the key in the access token. 
>> On Tue, Sep 8, 2020 at 3:29 AM <> wrote:
>> Hi all,
>> In section 4.1 of draft-ietf-oauth-dpop-01, the "jwk" header parameter is
>> REQUIRED. However, there are some cases where "jwk" is not necessary in theory.
>> For example, consider a case where the client is registered with the
>> Authorization Server, and its one and only public key is also registered with
>> the AS. In that case, when the AS receives a request on Token endpoint, it can
>> just use the public key registered for the client to verify the DPoP Proof.
>> There is no need to send the public key in DPoP Proof.
>> The same goes for requests to the Resource Server, if the AS and RS share the
>> storage for clients' public keys. Things are a little difficult if the AS and RS
>> are separate. Probably the Access Token or its introspection result have to
>> include the public key (instead of its thumbprint as described in section 7).
>> If the client registers multiple keys with the AS, it needs to specify which key
>> it uses to sign the DPoP Proof. However, there is still no absolute need to send
>> the whole key in DPoP Proof. Instead, the client could use "kid" header
>> parameter to specify the key.
>> Daniel Fett once mentioned the above case in the GitHub issue #26 [*1], but I'm
>> not sure what happened to the discussion. There was also a comment on the latest
>> draft about the "jwk" header parameter [*2]. I agree with using the same DPoP
>> Proof structure for requests to AS and RS, but I think there are some cases
>> where we can omit "jwk" in BOTH requests. Making "jwk" OPTIONAL would allow
>> those cases to reduce some messaging overhead.
>> I'd like to hear your opinions about it.
>> [*1]:
>> [*2]:
>> Best regards,
>> Toshio Ito
>> -------------
>> Toshio Ito
>> Research and Development Center
>> Toshiba Corporation
>> _______________________________________________
>> OAuth mailing list
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list