IETF Logo Mail Archive

Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02

Nat Sakimura <sakimura@gmail.com> Wed, 25 March 2015 15:31 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B1671A87BB for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2015 08:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebLP6oHvth5t for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2015 08:31:34 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11C711B29FF for <oauth@ietf.org>; Wed, 25 Mar 2015 08:31:31 -0700 (PDT)
Received: by oiag65 with SMTP id g65so24449520oia.2 for <oauth@ietf.org>; Wed, 25 Mar 2015 08:31:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AVgds5IvuLP6g7KOqFzB8qVZ3iv9Mm+8TOj9Yjtebec=; b=k7aKvKlHXDy8995SU45FDKZhFuh7iAD6VqyBb4SgiGPH7tAzCGEE1z2IoL1NuqBuuN wXnyunUPozkUGcp3s1swduuEIkQI7DttErjSjLI9ylLrUXjPG9Oc4dsJgYIabc81N3xM 6G4XKIu6KIZwlIwD0LakxpO82Oa5C2k9uTjBUcCWxau0K7/1kH3Ae56n9jrWJPr2YNiD DiCGGJ0HhhYrxJkoWDUwNRSpqKeykFbCk/PL3WUhbXvDuWY8WFp5+0hJo7WPYSPd4Rzj apknUSQ+Q5LEKILO7FYkltPepVvi1vVFauUgjwPbF6RskbQADQpxdMED8+gfpDZMSBb/ 4XFQ==
MIME-Version: 1.0
X-Received: by 10.182.242.106 with SMTP id wp10mr7900152obc.14.1427297490549; Wed, 25 Mar 2015 08:31:30 -0700 (PDT)
Received: by 10.60.141.230 with HTTP; Wed, 25 Mar 2015 08:31:30 -0700 (PDT)
In-Reply-To: <CA+k3eCRJWnEGVX94CNWBoH8ciXzxGGfSTFTbv9YqX2sard0y-g@mail.gmail.com>
References: <CA+k3eCSydCCrsrAdmm=5z-bQLpQZkPdJxYK3xWvfttWSbB9=uA@mail.gmail.com> <CA+k3eCRJWnEGVX94CNWBoH8ciXzxGGfSTFTbv9YqX2sard0y-g@mail.gmail.com>
Date: Thu, 26 Mar 2015 00:31:30 +0900
Message-ID: <CABzCy2AE4dJ8yHKb7M5_o9mDSHBPjrEOZgSKCW79Ebk2F1FbPg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="e89a8ff2521ae9c28605121e9762"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yQEpNYFnvWVNTXHMex6gF78iYnA>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 15:31:36 -0000

My take is that the presenter presents the token with cnf claim and some
kind of proof of possession of the material that cnf claim refers to. It is
the recipient that "confirms" or "verifies" the claim made by the
authorized presenter is correct.

2015-03-25 23:37 GMT+09:00 Brian Campbell <bcampbell@pingidentity.com>:

> There's similar wording in sec 3.3
> <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.3>
> too that seems to suggest that the presenter is the one that makes the
> claim.
>
> I think the presenter confirms the claim when it presents. It's the issuer
> that makes/asserts/declares the claim. No?
>
>   "In
>    this case, the presenter of a JWT declares that it possesses a
>    particular key and that the recipient can cryptographically confirm
>    proof-of-possession of the key by the presenter by including a "cnf"
>    (confirmation) claim in the JWT whose value is a JSON object, with
>    the JSON object containing a "kid" (key ID) member identifying the
>    key."
>
>
> On Sun, Mar 22, 2015 at 8:42 PM, Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> My brain hurt trying to parse the first sentence/paragraph from section 3
>> <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>:
>>
>>
>>    "The presenter of a JWT declares that it possesses a particular key
>>    and that the recipient can cryptographically confirm proof-of-
>>    possession of the key by the presenter by including a "cnf"
>>    (confirmation) claim in the JWT whose value is a JSON object, with
>>    the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID)
>>    member identifying the key."
>>
>> The issuer includes the "cnf" claim and makes the declaration not the
>> presenter. Sure, the presenter may be the issuer but that's a special case.
>>
>> Isn't it more accurate to say that it is the issuer who declares that the
>> presenter can confirm itself by some cryptographic proof-of-possession of
>> the key identified by the "cnf" claim? Or something more like that...
>>
>>
>>
>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email