Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-proof-of-possession-09: (with COMMENT)

Mike Jones <> Wed, 16 December 2015 23:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BDA421A9130; Wed, 16 Dec 2015 15:54:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zhgMMin-7OfE; Wed, 16 Dec 2015 15:54:20 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::770]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DFA441A9126; Wed, 16 Dec 2015 15:54:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=E0laRVOCryWbvP0nx53y/OVJCEPX82K2oT4YajW2uqU=; b=gDJ4GJpXWzGot9TceEjox5VwyqcfHoY9oJvb5PzWrfZODi3hdk3P+AZ1pZZws/iE7tVBs9eXnFCLLNQECO+pKBSxPQzzXSybXoWSWarHgh0t8MbefAWOM9ozn2QzLXDYr674I0CcLPF+S0h6w/EweNwF7+Y69VcqdzPGNERPcD8=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.355.16; Wed, 16 Dec 2015 23:53:58 +0000
Received: from ([]) by ([]) with mapi id 15.01.0355.012; Wed, 16 Dec 2015 23:53:57 +0000
From: Mike Jones <>
To: Barry Leiba <>, The IESG <>
Thread-Topic: Barry Leiba's No Objection on draft-ietf-oauth-proof-of-possession-09: (with COMMENT)
Thread-Index: AQHRN4cLmDK7wJJIJEK+vtr4cZl3Np7OPS6A
Date: Wed, 16 Dec 2015 23:53:57 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BL2PR03MB434; 5:eB5+1Ntj5xwDoQ9X8d/cagS/5Dvv6uVbIYpxXaOtLQnipOpz5/wy71WQkCLepvho0HpQwaMMY5wvCwK9adqbqtPqoKJwL58o2mCUakPLMHp5wVtUvt/JkDDdgArgfZHNhNewJ/QvY6UFXPGKz30XqA==; 24:Y55jtQCuU8HiPwsiitZ3N1Ro6VGMVkzt4mhARHOvUE1r3+DWD7RJOveNkLOSV3Nl+yI2VliUoqIO135w5XFcFqLnJfDSDdq5xppG1Q+FmZg=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB434;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BL2PR03MB434; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB434;
x-forefront-prvs: 0792DBEAD0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(52044002)(43784003)(189002)(377454003)(199003)(13464003)(97736004)(86362001)(81156007)(15975445007)(99286002)(2900100001)(5004730100002)(50986999)(5001770100001)(2950100001)(54356999)(76176999)(106356001)(77096005)(87936001)(106116001)(86612001)(74316001)(230783001)(105586002)(33656002)(10090500001)(40100003)(10400500002)(10290500002)(122556002)(8990500004)(101416001)(92566002)(5005710100001)(66066001)(5003600100002)(6116002)(102836003)(5002640100001)(586003)(5001960100002)(3846002)(189998001)(1220700001)(19580405001)(19580395003)(5008740100001)(1096002)(76576001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB434;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2015 23:53:57.8055 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB434
Archived-At: <>
Cc: "" <>, "" <>, "" <>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-proof-of-possession-09: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Dec 2015 23:54:22 -0000

Hi Barry,

Thanks for your review.  Please see my responses inline below...

> -----Original Message-----
> From: Barry Leiba []
> Sent: Tuesday, December 15, 2015 11:22 PM
> To: The IESG <>
> Cc:;;
> Subject: Barry Leiba's No Objection on draft-ietf-oauth-proof-of-possession-
> 09: (with COMMENT)
> Barry Leiba has entered the following ballot position for
> draft-ietf-oauth-proof-of-possession-09: No Objection
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> The Abstract and Introduction both say something like this:
>    This specification defines how a JSON Web Token (JWT) [JWT] can
>    declare that the presenter of the JWT possesses a key and that the
>    recipient can cryptographically confirm that the presenter possesses
>    that key.
> The JWT doesn't declare that the presenter possesses the key; it declares
> that the presenter *must* possess the key... yes?  Shouldn't this say
> that?:
>    This specification defines how a JSON Web Token (JWT) [JWT] can
>    declare that the presenter of the JWT must possess a key and how
>    the recipient can cryptographically confirm that the presenter
>    possesses that key.
> (Also notice change from "that" to "how".)

How about this version instead?

"This specification defines how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of-possession key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key."

The proposed "must possess" wording for some reason sounds awkward to my ear and the "must" is redundant, since for the statement "the recipient can cryptographically confirm proof-of-possession of the key" to be true, the presenter must possess the key.

A change from "that" to "how" would imply something that isn't true - that this spec says *how* the recipient conforms proof of possession.  The conformation protocol message(s) used for particular applications are explicitly out of scope for this specification.  If we said "how", readers would later feel cheated. Thus, I haven't made this change.

>    This
>    specification defines how to communicate key confirmation key
>    information in JWTs.
> "key confirmation key information" seems odd and hard to follow.  I think
> "key information used in key confirmation" is a better way to say it.
> But perhaps the sentence as a whole could be better phrased.  Does
> something like this work?:
>    This specification defines how to imbed into the JWT the key
>    information that is used in key confirmation.

I agree that the sentence you cited is awkward.  How about this instead?

"This specification defines how to communicate information about the proof-of-possession key using a claim in a JWT."

> -- Section 2 --
> Minor, very unimportant point: There's no reason to put, for example,
> "(JWT)", when the citation "[JWT]" immediately follows it.  I suggest just
> using the citation to provide the abbreviation, and eliminating "(JWT)",
> "(JWK)", and "(JWE)".  But very unimportant; do, or don't, and no need to
> respond to this item.


> -- Section 3 --
>    The issuer of a JWT declares that the presenter possesses a
>    particular key and that the recipient can cryptographically confirm
>    proof-of-possession of the key by the presenter by including a "cnf"
>    (confirmation) claim in the JWT whose value is a JSON object.
> I was convinced that this wasn't right until I read it for about the eighth time.
> It sounds like the recipient includes the "cnf" claim in the JWT, when it's
> actually the issuer.  That happens when long sentences have too many
> qualifiers strung together.  How about this?:
>    By including a "cnf" (confirmation) claim in a JWT, the issuer
>    of the JWT declares that the presenter possesses a particular key,
>    and that the recipient can cryptographically confirm that the
>    presenter has proof-of-possession of that key.  The value in the
>    cnf claim is a JSON object, and members in that object identify
>    the proof-of-possession key.

Sounds good

> -- Section 3.5 --
>    The protocol used to acquire the resource MUST provide integrity
>    protection; an HTTP GET request to retrieve the JWK Set MUST use
>    Transport Layer Security (TLS) [RFC5246]; and the identity of the
>    server MUST be validated, as per Section 6 of RFC 6125 [RFC6125].
> Little editorial punctuational nonsense: I would make the first semicolon a
> colon instead (or perhaps a period), and I would then make the second
> semicolon a comma.

I agree this is currently overly fussy.  I'll change the first semicolon to a period and remove the second.

> -- Section 4 --
> In the last paragraph, can you provide a reference for "audience restriction"?

Sure - I'll cite JWT 4.1.3 - the "aud" claim.

> -- Section 6 --
> Can we get this fixed in all the OAuth and JOSE documents?  It's getting old
> having to make the same comment for every document:  We should not be
> trying to set up IANA processes in our IANA Considerations.  The fourth and
> sixth paragraphs aren't appropriate here: IANA coordinates and tracks
> registration requests, and all requests should go to IANA.  IANA will contact
> the DEs, not the other way around.  The authors have seen this comment
> from me before....

Fair enough.  I'll delete these paragraphs, moving the 21-day time period sentence to another location. 

I'll now work on applying these resolutions to the specification and then will republish.

				Thanks again!
				-- Mike