Re: [OAUTH-WG] [Ace] Potential uses of PoP keys in CBOR Web Tokens (CWTs)

John Bradley <> Wed, 21 June 2017 20:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCEA81293E1 for <>; Wed, 21 Jun 2017 13:01:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XBlvkb_nICnb for <>; Wed, 21 Jun 2017 13:01:20 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 518FD128D2E for <>; Wed, 21 Jun 2017 13:01:20 -0700 (PDT)
Received: by with SMTP id t87so10460090ioe.0 for <>; Wed, 21 Jun 2017 13:01:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=8HocC5bdb3OjGgR/nqk1m8jJNGt1s0tNBbAth3EEoRc=; b=q1IwwS9ozCc/aifZ76IW+dXi3SOaIwxrH1wwIdbFLEgo1ZSN+idtK1XxtUEB1SeQdc uyezTJGzRmb71zIt5GVGYdz8AotThxBILvrnsEP2Es7XgMYlcyhIwFWyFTEJKNT5J+BS Pl9RSsDijDd/gtkEjI9iz1YdxXIv1PsrJwKIYz7rNySWB4SKVfKypI/bi8DxEq+3FUmO PgZKtT1V9C6ud6WklLaMO9fbJklACcIqB8BfLUF+YYAoJQ7jT2J97VBjA1JMin17A4u0 tMysMx8iCSIPkzpfPUp+VfDTMzSrkh3XW4CqtCP1S+wNSaQg0ksAl/1Ob37lvHtVQLCx NTkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=8HocC5bdb3OjGgR/nqk1m8jJNGt1s0tNBbAth3EEoRc=; b=T31SEsfmVCXmvCeIFkS4lHumf0vTjauUfDHFb85+iAybMc34jHNOG5n0zMkHJbSYlx FJ29Z8bzbVyF8lhCEUh0Rqyi8u95m02Fkfc7du4b4oobEMVQYSPaOY+IQitroPPUfQvm 9jC5emtUR5oui6Vcq5z/bwW2bEhlMv0+spXeb0xGce26CF3IPsLrKzDFzpIBB/HRCDN5 Fyp3h68L6vs/TRSOMLQJRDxjmOA8HlDg66A42pYiS7mkJUEUCXXwj4tgsMFGjgOEsHuc Jgk4thpP7N6Xcbo6Eu5v5fFwZ1/fsZEZsYGbiMYDR5Dw09jRxAc6+QssbENF3a7D+Vup lHuw==
X-Gm-Message-State: AKS2vOzSHTBgAYJL+adh6QYkwyzg+xQOT0eUFKhKAn7UK3MrsUfOYLJR DJSRu934VCW2LzzUOwRgNw==
X-Received: by with SMTP id i88mr34465968iod.53.1498075278103; Wed, 21 Jun 2017 13:01:18 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id o197sm1751930ioe.46.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Jun 2017 13:01:16 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: John Bradley <>
In-Reply-To: <>
Date: Wed, 21 Jun 2017 15:01:15 -0500
Cc: "" <>, Hannes Tschofenig <>, Kepeng Li <>, IETF OAUTH <>
Message-Id: <>
References: <>
To: Hannes Tschofenig <>
X-Mailer: Apple Mail (2.3273)
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a113ecd98e5153405527dd477"
Archived-At: <>
Subject: Re: [OAUTH-WG] [Ace] Potential uses of PoP keys in CBOR Web Tokens (CWTs)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Jun 2017 20:01:23 -0000

I don’t have any deployments yet, but am changing companies in July and can see some future use cases for POP CWT around Web Authentication.

POP for JWT is taking off and Ping has implementations of that.

It would be beneficial if we could maintain the same confirmation “cnf” semantic between JWT and CWT.

I suspect that there are going to be gateways and mixed environments, so it will reduce confusion.

If you are asking about specific confirmation methods you need to give me a bit of time to swap some of this into my head.
The high level semantic of a confirmation element should be the same but even in JWT there are different methods and information that needs to be propagated depending on the application eg key hash vs DN vs encrypted symmetric key.

John B.

> On Jun 12, 2017, at 1:19 PM, Hannes Tschofenig <> wrote:
> Hi all,
> RFC 7800 defines how to communicate Proof of Possession (PoP) keys for
> JSON Web Tokens (JWTs) [RFC 7519]. The CBOR Web Token (CWT)
> draft-ietf-ace-cbor-web-token spec defines the CBOR/COSE equivalent of
> the JSON/JOSE JWT spec.
> The ACE working group is planning to also define a CBOR/COSE equivalent
> of RFC 7800 and is interested in knowing how you might use CBOR
> proof-of-possession keys for CWTs.
> Please drop us a message if you are using CBOR PoP keys for CWTs. We
> would like to learn more about your usage.
> Ciao
> Hannes & Kepeng
> _______________________________________________
> Ace mailing list