Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02
Justin Richer <jricher@mit.edu> Wed, 25 March 2015 15:35 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E4CA1B2A46 for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2015 08:35:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTPDWKLMI3Uu for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2015 08:35:07 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D2D31B2A49 for <oauth@ietf.org>; Wed, 25 Mar 2015 08:34:59 -0700 (PDT)
X-AuditID: 1209190f-f79d16d000000d3d-3f-5512d5a181d5
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id FF.AE.03389.1A5D2155; Wed, 25 Mar 2015 11:34:57 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t2PFYvGY001755; Wed, 25 Mar 2015 11:34:57 -0400
Received: from dhcp-b0dd.meeting.ietf.org (dhcp-b0dd.meeting.ietf.org [31.133.176.221]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2PFYo8J002113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Mar 2015 11:34:56 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_EC406EAA-43DF-4BAA-8D03-688BCD835D63"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CA+k3eCRJWnEGVX94CNWBoH8ciXzxGGfSTFTbv9YqX2sard0y-g@mail.gmail.com>
Date: Wed, 25 Mar 2015 10:34:48 -0500
Message-Id: <BDAC3869-5BFA-48A8-BC67-C0B18D337E15@mit.edu>
References: <CA+k3eCSydCCrsrAdmm=5z-bQLpQZkPdJxYK3xWvfttWSbB9=uA@mail.gmail.com> <CA+k3eCRJWnEGVX94CNWBoH8ciXzxGGfSTFTbv9YqX2sard0y-g@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMKsWRmVeSWpSXmKPExsUixCmqrbvwqlCowcQpJhar/99ktDj59hWb A5PHkiU/mTzuHr3IEsAUxWWTkpqTWZZapG+XwJXx4vUN1oLt9hWfZy1hbmDcYdbFyMkhIWAi sW7re2YIW0ziwr31bF2MXBxCAouZJA7POsIE4WxklGj82ADlXGGSWP7wGAtIi7BAoETjnKtg Nq+AgcTcU1/AipgFpjBK7J9ymBFirpRE0+tjYDabgKrE9DUtQEUcHJxAzfdX2oCYLEDh7dsT QExmAXWJ9pMuEBOtJF7fnswEYgsJTGWUOHo+FMQWEdCXuP10DjtIuYSAvETPpvQJjIKzkNww C9kNIAlmgSSJ7V1f2SBsbYllC18zQ9iaEvu7l7NgimtIdH6byAphy0tsfzsHKm4psXjmDah6 W4lbfQuYIGw7iUfTFrEuYORexSibklulm5uYmVOcmqxbnJyYl5dapGuil5tZopeaUrqJERx/ kvw7GL8dVDrEKMDBqMTD+0NCKFSINbGsuDL3EKMkB5OSKO/+M0AhvqT8lMqMxOKM+KLSnNTi Q4wqQLsebVh9gVGKJS8/L1VJhHfnJqA63pTEyqrUonyYMmkOFiVx3k0/+EKEBNITS1KzU1ML UotgsjIcHEoSvCuvADUKFqWmp1akZeaUIKSZODgPMUpw8AANPwJSw1tckJhbnJkOkT/FqCgl zvsLJCEAksgozYPrhaXNV4ziQG8J8zqDVPEAUy5c9yugwUxAg8/l84EMLklESEk1MDppTFuj VrD49keRH1WRu28drlnSUFMosLYqtebC7YbJxwJENk39oprxi1f16/wH+9acjZ+U+EBLLoZJ wuXfbEPHWVcSNfc9mXH+PUuycMT+AybfW7y9Jk5k2ze/5nzBW4ktl+88PequWFZR37hQeZrQ /S7fLZ1TmCK+eV4OXNqvu2FV9qeMw3eUWIozEg21mIuKEwFCuIjzdgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/vTI3yGe9AK8_jD-MsJEz_toCSGg>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 15:35:14 -0000
Agree that this language isn’t clear. The presenter doesn’t confirm the claim either, the presenter never even looks for it (unless the presenter is the issuer, which is a special and hopefully rare case). That’s why the key is delivered to the presenter in parallel with the token. It’s the RS that confirms the claim (in OAuth PoP), or whoever’s processing the key-protected call downstream (in something that isn’t OAuth). — Justin > On Mar 25, 2015, at 9:37 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: > > There's similar wording in sec 3.3 <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.3> too that seems to suggest that the presenter is the one that makes the claim. > > I think the presenter confirms the claim when it presents. It's the issuer that makes/asserts/declares the claim. No? > > "In > this case, the presenter of a JWT declares that it possesses a > particular key and that the recipient can cryptographically confirm > proof-of-possession of the key by the presenter by including a "cnf" > (confirmation) claim in the JWT whose value is a JSON object, with > the JSON object containing a "kid" (key ID) member identifying the > key." > > On Sun, Mar 22, 2015 at 8:42 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: > My brain hurt trying to parse the first sentence/paragraph from section 3 <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>: > "The presenter of a JWT declares that it possesses a particular key > and that the recipient can cryptographically confirm proof-of- > possession of the key by the presenter by including a "cnf" > (confirmation) claim in the JWT whose value is a JSON object, with > the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID) > member identifying the key." > The issuer includes the "cnf" claim and makes the declaration not the presenter. Sure, the presenter may be the issuer but that's a special case. > > Isn't it more accurate to say that it is the issuer who declares that the presenter can confirm itself by some cryptographic proof-of-possession of the key identified by the "cnf" claim? Or something more like that... > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] trouble reading the start of sec 3 pro… Brian Campbell
- Re: [OAUTH-WG] trouble reading the start of sec 3… Brian Campbell
- Re: [OAUTH-WG] trouble reading the start of sec 3… Nat Sakimura
- Re: [OAUTH-WG] trouble reading the start of sec 3… Justin Richer
- Re: [OAUTH-WG] trouble reading the start of sec 3… Brian Campbell
- Re: [OAUTH-WG] trouble reading the start of sec 3… John Bradley
- Re: [OAUTH-WG] trouble reading the start of sec 3… Mike Jones