draft-ietf-oauth-proof-of-possession-08.txt   draft-ietf-oauth-proof-of-possession-09.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: June 2, 2016 Ping Identity Expires: June 15, 2016 Ping Identity
H. Tschofenig H. Tschofenig
ARM Limited ARM Limited
November 30, 2015 December 13, 2015
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
draft-ietf-oauth-proof-of-possession-08 draft-ietf-oauth-proof-of-possession-09
Abstract Abstract
This specification defines how to express a declaration in a JSON Web This specification defines how to express a declaration in a JSON Web
Token (JWT) that the presenter of the JWT possesses a particular key Token (JWT) that the presenter of the JWT possesses a particular key
and that the recipient can cryptographically confirm proof-of- and that the recipient can cryptographically confirm proof-of-
possession of the key by the presenter. Being able to prove possession of the key by the presenter. Being able to prove
possession of a key is also sometimes described as the presenter possession of a key is also sometimes described as the presenter
being a holder-of-key. being a holder-of-key.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 2, 2016. This Internet-Draft will expire on June 15, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 29 skipping to change at page 7, line 29
3.2. Representation of an Asymmetric Proof-of-Possession Key 3.2. Representation of an Asymmetric Proof-of-Possession Key
When the key held by the presenter is an asymmetric private key, the When the key held by the presenter is an asymmetric private key, the
"jwk" member is a JSON Web Key (JWK) [JWK] representing the "jwk" member is a JSON Web Key (JWK) [JWK] representing the
corresponding asymmetric public key. The following example corresponding asymmetric public key. The following example
demonstrates such a declaration in the JWT Claims Set of a JWT: demonstrates such a declaration in the JWT Claims Set of a JWT:
{ {
"iss": "https://server.example.com", "iss": "https://server.example.com",
"aud": "https://client.example.org", "aud": "https://client.example.org",
"exp": "1361398824", "exp": 1361398824,
"cnf":{ "cnf":{
"jwk":{ "jwk":{
"kty": "EC", "kty": "EC",
"use": "sig", "use": "sig",
"crv": "P-256", "crv": "P-256",
"x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM", "x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM",
"y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA" "y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA"
} }
} }
} }
skipping to change at page 9, line 23 skipping to change at page 9, line 23
(confirmation) claim in the JWT whose value is a JSON object, with (confirmation) claim in the JWT whose value is a JSON object, with
the JSON object containing a "kid" (key ID) member identifying the the JSON object containing a "kid" (key ID) member identifying the
key. key.
The following example demonstrates such a declaration in the JWT The following example demonstrates such a declaration in the JWT
Claims Set of a JWT: Claims Set of a JWT:
{ {
"iss": "https://server.example.com", "iss": "https://server.example.com",
"aud": "https://client.example.org", "aud": "https://client.example.org",
"exp": "1361398824", "exp": 1361398824,
"cnf":{ "cnf":{
"kid": "dfd1aa97-6d8d-4575-a0fe-34b96de2bfad" "kid": "dfd1aa97-6d8d-4575-a0fe-34b96de2bfad"
} }
} }
The content of the "kid" value is application specific. For The content of the "kid" value is application specific. For
instance, some applications may choose to use a JWK Thumbprint instance, some applications may choose to use a JWK Thumbprint
[JWK.Thumbprint] value as the "kid" value. [JWK.Thumbprint] value as the "kid" value.
3.5. Representation of a URL for a Proof-of-Possession Key 3.5. Representation of a URL for a Proof-of-Possession Key
skipping to change at page 10, line 9 skipping to change at page 10, line 9
Transport Layer Security (TLS) [RFC5246]; and the identity of the Transport Layer Security (TLS) [RFC5246]; and the identity of the
server MUST be validated, as per Section 6 of RFC 6125 [RFC6125]. server MUST be validated, as per Section 6 of RFC 6125 [RFC6125].
The following example demonstrates such a declaration in the JWT The following example demonstrates such a declaration in the JWT
Claims Set of a JWT: Claims Set of a JWT:
{ {
"iss": "https://server.example.com", "iss": "https://server.example.com",
"sub": "17760704", "sub": "17760704",
"aud": "https://client.example.org", "aud": "https://client.example.org",
"exp": "1440804813", "exp": 1440804813,
"cnf":{ "cnf":{
"jku": "https://keys.example.net/pop-keys.json", "jku": "https://keys.example.net/pop-keys.json",
"kid": "2015-08-28" "kid": "2015-08-28"
} }
} }
3.6. Specifics Intentionally Not Specified 3.6. Specifics Intentionally Not Specified
Proof-of-possession is typically demonstrated by having the presenter Proof-of-possession is typically demonstrated by having the presenter
sign a value determined by the recipient using the key possessed by sign a value determined by the recipient using the key possessed by
skipping to change at page 15, line 41 skipping to change at page 15, line 41
Appendix A. Acknowledgements Appendix A. Acknowledgements
The authors wish to thank Brian Campbell, Kepeng Li, James Manger, The authors wish to thank Brian Campbell, Kepeng Li, James Manger,
Kathleen Moriarty, Justin Richer, and Nat Sakimura for their reviews Kathleen Moriarty, Justin Richer, and Nat Sakimura for their reviews
of the specification. of the specification.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-09
o Removed erroneous quotation marks around numeric "exp" claim
values in examples.
-08 -08
o Added security consideration about also utilizing audience o Added security consideration about also utilizing audience
restriction. restriction.
-07 -07
o Addressed review comments by Hannes Tschofenig, Kathleen Moriarty, o Addressed review comments by Hannes Tschofenig, Kathleen Moriarty,
and Justin Richer. Changes were: and Justin Richer. Changes were:
 End of changes. 8 change blocks. 
7 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/