Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Mike Jones <> Wed, 02 April 2014 17:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1A5621A02E5 for <>; Wed, 2 Apr 2014 10:48:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id THabGjKM2Ctv for <>; Wed, 2 Apr 2014 10:48:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3BD321A02D4 for <>; Wed, 2 Apr 2014 10:48:00 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 2 Apr 2014 17:47:53 +0000
Received: from (2a01:111:f400:7c10::140) by (2a01:111:e400:2c2c::27) with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 2 Apr 2014 17:47:53 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.908.10 via Frontend Transport; Wed, 2 Apr 2014 17:47:52 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 2 Apr 2014 17:47:15 +0000
Received: from ([]) by ([]) with mapi id 14.03.0174.002; Wed, 2 Apr 2014 17:47:14 +0000
From: Mike Jones <>
To: John Bradley <>, "Manger, James" <>
Thread-Topic: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
Thread-Index: AQHPTnnAeMPKUegAs06Cn/74D6P3OJr+lJ2g
Date: Wed, 2 Apr 2014 17:47:13 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A13406FTK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(51704005)(24454002)(377454003)(51914003)(1890?= =?us-ascii?Q?02)(199002)(13464003)(2656002)(90146001)(77982001)(74502001)?= =?us-ascii?Q?(15395725003)(87266001)(85306002)(97736001)(19300405004)(568?= =?us-ascii?Q?16005)(95666003)(87936001)(80022001)(79102001)(80976001)(477?= =?us-ascii?Q?36001)(85852003)(81816001)(20776003)(512934002)(16236675002)?= =?us-ascii?Q?(66066001)(98676001)(31966008)(97186001)(74662001)(99396002)?= =?us-ascii?Q?(63696002)(16796002)(15975445006)(4396001)(15202345003)(9256?= =?us-ascii?Q?6001)(94946001)(47976001)(59766001)(85806002)(83072002)(8432?= =?us-ascii?Q?6002)(65816001)(83322001)(50986001)(81342001)(74706001)(4497?= =?us-ascii?Q?6005)(53806001)(19580405001)(95416001)(54316002)(86362001)(8?= =?us-ascii?Q?1686001)(19580395003)(71186001)(2009001)(49866001)(6806004)(?= =?us-ascii?Q?81542001)(86612001)(92726001)(97336001)(51856001)(93516002)(?= =?us-ascii?Q?94316002)(56776001)(84676001)(76482001)(76796001)(46102001)(?= =?us-ascii?Q?76786001)(54356001)(47446002)(33656001)(93136001)(69226001)(?= =?us-ascii?Q?74876001)(74366001)(77096001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY?= =?us-ascii?Q?2PR03MB175;; FPR:CE5CF1D5.A2F27145.BDF3B1?= =?us-ascii?Q?8B.5EE8C940.20668; MLV:sfv; PTR:InfoDomainNonexistent; MX:1; A:1?= =?us-ascii?Q?; LANG:en; ?=
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0169092318
Received-SPF: Pass (: domain of designates as permitted sender) receiver=; client-ip=;;
Cc: "" <>
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 17:48:06 -0000

Thanks for the comments, James.  Comments inline marked with "Mike>".

-----Original Message-----
From: OAuth [] On Behalf Of John Bradley
Sent: Wednesday, April 02, 2014 6:45 AM
To: Manger, James
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Thanks for the feedback.


On Apr 2, 2014, at 1:50 AM, Manger, James <<>> wrote:




> A new registry for "cnf" members is a bit strange. A JWT Claim Set has so far been a flat structure, with metadata such expiry date "exp" alongside claims such as "given_name". This spec starts introducing structure by wrapping members in a "cnf" (confirmation) object. It is not clear to me which new things would go in "cnf" versus going in to the top-level of the JWT claim set. Both locations have a "MUST ignore" policy for unrecognized members.

This is the first draft so this needs to be fleshed out.  The idea is to have a single object that contains what in SAML would be the subject confirmation information.   I expect hat the protocols using this are going to determine what claims need to go in cnf.

As an example for bearer tokens there might be an expirey time for presentment that is separate from the tokens lifetime as represented by "exp" at the top level.

This may not be a great example as people in general don't understand the difference between the two exp in SAML:)

But in general cnf contains claims that are required to confirm that the presenter is the subject/issuer or a designated agent.

Mike>  Another possible example is that a "kid" (Key ID) value might be used in the "cnf" (confirmation) object, rather than including the key directly.  This actually matches the SAML construct in which the SubjectConfirmation element contains a KeyInfo element that contains a KeyName element, rather than the key value.  In this case, you need the "kid" to be within the "cnf" object to distinguish it from the "kid" referring to the signing key.



>   "(In some applications, the subject identifier will be relative

>   to the issuer identified by the "iss" (issuer) claim.)"


> This isn't very helpful as it gives no hint about when this is or isn't the case. I guess this is just rewording a flaw from JWT.

This is one thing we have been wrangling over the wording of.

In the simple case where there is a "sub" then the key represents the proof key of the presenter or a authorized agent on there behalf.

There are some slippery bits even in that as it is the recipient that is trusting the issuer to put in the correct cnf information. Especially in cases where there may be multiple hops the key may be that of a RS that the user has no direct trust relationship with.

In the case where there is no subject, I tend to think of the JWT as having a implicit subject that is the issuer as that is really the only thing the claims could be about in the absence of a explicit subject.

A JWT without a subject could have a claim about a user that is logged into me but the me is the issuer.

So as in the case of there being no explicit subject the cnf is of the iss or a agent it has designated.

In principal if a intermediary receives the token and sends it to a STS like service the resulting JWT would then have the STS as the iss and the original iss as the sub.  Though that is outside of this spec.

Trying to come up with a simple explanation without dragging a bunch of other stuff in to the spec is not easy.

Perhaps something more like the cnf must evaluate to true for the presenter of the JWT otherwise the token is not being presented by a party authorized by the issuer, given that the recipient's primary trust relationship is with the issuer.

Trying to say who the presenter is may just be too confusing at this level.

Thoughts and wording input appreciated.

Mike> I agree with John that it's up to applications using this spec to say who the presenter is - just like it's up to applications using JWT to specify what the values of the "iss" and "sub" fields are for that application, and which of them are required.  That said, suggestions on how to make this clearer would of course be welcomed.



> Could the JWE example please include a "kid"? The recipient needs to know which key to use to decrypt the message. JWS says we SHOULD do this [JWS §6 2nd paragraph]. [P.S. Weren't we going to include "kid" is almost all the examples in JWE?]

Yes it should include a "kid"

Mike> You mean adding a "kid" to the JWE Header?  Yes, I can do that in the next revision.  (No "kid" is needed in the proof-of-possession key because it's passed by value, so there's no ambiguity what the key is.)


> You may as well drop the "cty":"jwk+json" member as this is implied by the JOSE message being the value of a "jwk" member.


It may be useful to libraries processing the JWE.

Mike> I agree with James that, in context, it's already known that the content type of the JWE Plaintext is a JWK, and so this can be dropped (which is allowed in the JWK spec).


> OpenID Connect has already defined a "sub_jwk" field that performs a similar role to "cnf":{"jwk"}.

> []

As you have pointed out connect self Issued needs an errata to address a problem anyway.

They are similar though the self issued case is more like a JWT that would be used as a proof mechanism rather than as a pop token itself.

Perhaps there is a case where the iss is using it's signing key for signing the token and via tls channel binding for presentment as an example.

The connect case doesn't require a presentment proof so is a bit different.

I take your point and will think about it a bit more.



> Perhaps the biggest security consideration is missing: "cnf" may be ignored. A recipient that doesn't understanding "cnf" is likely to accept a JWT as a bearer token without doing any proof-of-possession.


I think the protocol using the JWT would likely be where the requirement would be enforced along with the presentment mechanism.

Mike>  I agree with John here.  I can easily imagine use cases in which it's up to the recipient how often to check possession.  For instance, it might decide to incur the additional overhead only if possession hadn't been checked for longer than a certain time threshold.  We don't want to preclude those use cases.

                                                                -- Mike

John B.

> --

> James Manger

> _______________________________________________

> OAuth mailing list




OAuth mailing list<>