draft-ietf-oauth-proof-of-possession-05.txt   draft-ietf-oauth-proof-of-possession-06.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: April 21, 2016 Ping Identity Expires: May 7, 2016 Ping Identity
H. Tschofenig H. Tschofenig
ARM Limited ARM Limited
October 19, 2015 November 4, 2015
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
draft-ietf-oauth-proof-of-possession-05 draft-ietf-oauth-proof-of-possession-06
Abstract Abstract
This specification defines how to express a declaration in a JSON Web This specification defines how to express a declaration in a JSON Web
Token (JWT) that the presenter of the JWT possesses a particular key Token (JWT) that the presenter of the JWT possesses a particular key
and that the recipient can cryptographically confirm proof-of- and that the recipient can cryptographically confirm proof-of-
possession of the key by the presenter. Being able to prove possession of the key by the presenter. Being able to prove
possession of a key is also sometimes described as the presenter possession of a key is also sometimes described as the presenter
being a holder-of-key. being a holder-of-key.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2016. This Internet-Draft will expire on May 7, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Representations for Proof-of-Possession Keys . . . . . . . . . 4 3. Representations for Proof-of-Possession Keys . . . . . . . . . 6
3.1. Confirmation Claim . . . . . . . . . . . . . . . . . . . . 5 3.1. Confirmation Claim . . . . . . . . . . . . . . . . . . . . 6
3.2. Representation of an Asymmetric Proof-of-Possession Key . 6 3.2. Representation of an Asymmetric Proof-of-Possession Key . 7
3.3. Representation of an Encrypted Symmetric 3.3. Representation of an Encrypted Symmetric
Proof-of-Possession Key . . . . . . . . . . . . . . . . . 6 Proof-of-Possession Key . . . . . . . . . . . . . . . . . 7
3.4. Representation of a Key ID for a Proof-of-Possession 3.4. Representation of a Key ID for a Proof-of-Possession
Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.5. Representation of a URL for a Proof-of-Possession Key . . 8 3.5. Representation of a URL for a Proof-of-Possession Key . . 9
3.6. Specifics Intentionally Not Specified . . . . . . . . . . 8 3.6. Specifics Intentionally Not Specified . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 9 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 10 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
6.1. JSON Web Token Claims Registration . . . . . . . . . . . . 11 6.1. JSON Web Token Claims Registration . . . . . . . . . . . . 12
6.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 11 6.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 12
6.2. JWT Confirmation Methods Registry . . . . . . . . . . . . 11 6.2. JWT Confirmation Methods Registry . . . . . . . . . . . . 12
6.2.1. Registration Template . . . . . . . . . . . . . . . . 11 6.2.1. Registration Template . . . . . . . . . . . . . . . . 12
6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 12 6.2.2. Initial Registry Contents . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13
7.2. Informative References . . . . . . . . . . . . . . . . . . 13 7.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 15
Appendix B. Document History . . . . . . . . . . . . . . . . . . 14 Appendix B. Document History . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
This specification defines how a JSON Web Token (JWT) [JWT] can This specification defines how a JSON Web Token (JWT) [JWT] can
declare that the presenter of the JWT possesses a key and that the declare that the presenter of the JWT possesses a key and that the
recipient can cryptographically confirm that the presenter possesses recipient can cryptographically confirm that the presenter possesses
that key. Proof-of-possession of a key is also sometimes described that key. Proof-of-possession of a key is also sometimes described
as the presenter being a holder-of-key. The as the presenter being a holder-of-key. The
[I-D.ietf-oauth-pop-architecture] specification describes key [I-D.ietf-oauth-pop-architecture] specification describes key
confirmation, among other confirmation mechanisms. This confirmation, among other confirmation mechanisms. This
specification defines how to communicate key confirmation key specification defines how to communicate key confirmation key
information in JWTs. information in JWTs.
Envision the following two use cases. The first use case describes Envision the following two use cases. The first use case employs a
the use of a symmetric proof-of-possession key and the second use symmetric proof-of-possession key and the second use case employs an
case uses an asymmetric proof-of-possession key. asymmetric proof-of-possession key.
An issuer generates a JWT and places an encrypted symmetric key +--------------+
inside the newly introduced confirmation claim. This symmetric key | | +--------------+
is encrypted with a key known only to the issuer and the recipient. | |--(4) Presentation of -->| |
The entire JWT is then integrity protected by the issuer. The JWT is | | JWT w/ Encrypted | |
then sent to the presenter. Since the presenter is unable to obtain | Presenter | PoP Key | |
the encrypted symmetric key from the JWT itself, the issuer conveys | | | |
that symmetric key separately to the presenter. Now, the presenter | |<-(5) Communication ---->| |
is in possession of the symmetric key as well as the JWT (which | | Authenticated by | |
includes the confirmation claim member). When the presenter needs to +--------------+ PoP Key | |
present the JWT to the recipient, it also needs to demonstrate | ^ | |
possession of the symmetric key; the presenter, for example, uses the | | | |
symmetric key in a challenge/response protocol with the recipient. (1) Sym. (3) JWT w/ | Recipient |
The recipient is then able to verify that it is interacting with the | PoP | Encrypted | |
genuine presenter by decrypting the JWK contained inside the | Key | PoP Key | |
v | | |
+--------------+ | |
| | | |
| | | |
| |<-(2) Key Exchange for ->| |
| Issuer | Key Encryption Key | |
| | | |
| | | |
| | +--------------+
+--------------+
Figure 1: Proof-of-Possession with a Symmetric Key
In the case illustrated in Figure 1, the presenter generates a
symmetric key and (1) privately sends it to the issuer. The issuer
generates a JWT with an encrypted copy of this symmetric key in the
newly introduced confirmation claim. This symmetric key is encrypted
with a key known only to the issuer and the recipient, which is
established in step (2), if it doesn't already exist. The entire JWT
is integrity protected by the issuer. The JWT is then (3) sent to
the presenter. Now, the presenter is in possession of the symmetric
key as well as the JWT (which includes the confirmation claim). When
the presenter (4) presents the JWT to the recipient, it also needs to
demonstrate possession of the symmetric key; the presenter, for
example, (5) uses the symmetric key in a challenge/response protocol
with the recipient. The recipient is then able to verify that it is
interacting with the genuine presenter by decrypting the key in the
confirmation claim of the JWT. By doing this, the recipient obtains confirmation claim of the JWT. By doing this, the recipient obtains
the symmetric key, which it then uses to verify cryptographically the symmetric key, which it then uses to verify cryptographically
protected messages exchanged with the presenter. This symmetric key protected messages exchanged with the presenter (5). This symmetric
mechanism described above is conceptually similar to the use of key mechanism described above is conceptually similar to the use of
Kerberos tickets. Kerberos tickets.
In the second case, consider a presenter that generates a public/ +--------------+
private key pair. It then sends the public key to an issuer, which | | +--------------+
creates a JWT and places a public key (or an identifier for it) | |--(3) Presentation of -->| |
inside the newly introduced confirmation claim. The entire JWT is | | JWT w/ Public | |
integrity protected using a digital signature to protect it against | Presenter | PoP Key | |
modifications. The JWT is then sent to the presenter. When the | | | |
presenter needs to present the JWT to the recipient, it also needs to | |<-(4) Communication ---->| |
demonstrate possession of the private key. The presenter, for | | Authenticated by | |
example, uses the private key in a TLS exchange with the recipient or +--------------+ PoP Key | |
signs a nonce with the private key. The recipient is able to verify | ^ | |
that it is interacting with the genuine presenter by extracting the | | | |
public key from the confirmation claim of the JWT (after verifying (1) Public (2) JWT w/ | Recipient |
the digital signature of the JWT) and utilizing it with the private | PoP | Public | |
key in the TLS exchange or checking the nonce signature. | Key | PoP Key | |
v | | |
+--------------+ | |
| | | |
| | | |
| | | |
| Issuer | | |
| | | |
| | | |
| | +--------------+
+--------------+
Figure 2: Proof-of-Possession with an Asymmetric Key
In the case illustrated in Figure 2, the presenter generates a
public/private key pair and (1) sends the public key to the issuer,
which creates a JWT that contains the public key (or an identifier
for it) in the newly introduced confirmation claim. The entire JWT
is integrity protected using a digital signature to protect it
against modifications. The JWT is then (2) sent to the presenter.
When the presenter (3) presents the JWT to the recipient, it also
needs to demonstrate possession of the private key. The presenter,
for example, (4) uses the private key in a TLS exchange with the
recipient or (4) signs a nonce with the private key. The recipient
is able to verify that it is interacting with the genuine presenter
by extracting the public key from the confirmation claim of the JWT
(after verifying the digital signature of the JWT) and utilizing it
with the private key in the TLS exchange or by checking the nonce
signature.
In both cases, the JWT may contain other claims that are needed by In both cases, the JWT may contain other claims that are needed by
the application. the application.
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
skipping to change at page 14, line 22 skipping to change at page 15, line 22
Appendix A. Acknowledgements Appendix A. Acknowledgements
The authors wish to thank Brian Campbell, Kepeng Li, James Manger, The authors wish to thank Brian Campbell, Kepeng Li, James Manger,
Justin Richer, and Nat Sakimura for their reviews of the Justin Richer, and Nat Sakimura for their reviews of the
specification. specification.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-06
o Added diagrams to the introduction.
-05 -05
o Addressed review comments by Kepeng Li. o Addressed review comments by Kepeng Li.
-04 -04
o Allowed the use of "jwk" for symmetric keys when the JWT is o Allowed the use of "jwk" for symmetric keys when the JWT is
encrypted. encrypted.
o Added the "jku" (JWK Set URL) member. o Added the "jku" (JWK Set URL) member.
 End of changes. 12 change blocks. 
60 lines changed or deleted 120 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/