| < draft-ietf-ace-cwt-proof-of-possession-06.txt | draft-ietf-ace-cwt-proof-of-possession-07.txt > | |||
|---|---|---|---|---|
| ACE M. Jones | ACE M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track L. Seitz | Intended status: Standards Track L. Seitz | |||
| Expires: August 25, 2019 RISE SICS | Expires: March 21, 2020 RISE SICS | |||
| G. Selander | G. Selander | |||
| Ericsson AB | Ericsson AB | |||
| S. Erdtman | S. Erdtman | |||
| Spotify | Spotify | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Ltd. | Arm Ltd. | |||
| February 21, 2019 | September 18, 2019 | |||
| Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) | Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) | |||
| draft-ietf-ace-cwt-proof-of-possession-06 | draft-ietf-ace-cwt-proof-of-possession-07 | |||
| Abstract | Abstract | |||
| This specification describes how to declare in a CBOR Web Token (CWT) | This specification describes how to declare in a CBOR Web Token (CWT) | |||
| that the presenter of the CWT possesses a particular proof-of- | that the presenter of the CWT possesses a particular proof-of- | |||
| possession key. Being able to prove possession of a key is also | possession key. Being able to prove possession of a key is also | |||
| sometimes described as being the holder-of-key. This specification | sometimes described as being the holder-of-key. This specification | |||
| provides equivalent functionality to "Proof-of-Possession Key | provides equivalent functionality to "Proof-of-Possession Key | |||
| Semantics for JSON Web Tokens (JWTs)" (RFC 7800), but using CBOR and | Semantics for JSON Web Tokens (JWTs)" (RFC 7800) but using CBOR and | |||
| CWTs rather than JSON and JWTs. | CWTs rather than JSON and JWTs. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 25, 2019. | This Internet-Draft will expire on March 21, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Representations for Proof-of-Possession Keys . . . . . . . . 3 | 3. Representations for Proof-of-Possession Keys . . . . . . . . 3 | |||
| 3.1. Confirmation Claim . . . . . . . . . . . . . . . . . . . 4 | 3.1. Confirmation Claim . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Representation of an Asymmetric Proof-of-Possession Key . 5 | 3.2. Representation of an Asymmetric Proof-of-Possession Key . 5 | |||
| 3.3. Representation of an Encrypted Symmetric Proof-of- | 3.3. Representation of an Encrypted Symmetric Proof-of- | |||
| Possession Key . . . . . . . . . . . . . . . . . . . . . 5 | Possession Key . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.4. Representation of a Key ID for a Proof-of-Possession Key 6 | 3.4. Representation of a Key ID for a Proof-of-Possession Key 6 | |||
| 3.5. Specifics Intentionally Not Specified . . . . . . . . . . 8 | 3.5. Specifics Intentionally Not Specified . . . . . . . . . . 7 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 | 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Operational Considerations . . . . . . . . . . . . . . . . . 10 | 6. Operational Considerations . . . . . . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7.1. CBOR Web Token Claims Registration . . . . . . . . . . . 11 | 7.1. CBOR Web Token Claims Registration . . . . . . . . . . . 10 | |||
| 7.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 11 | 7.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 10 | |||
| 7.2. CWT Confirmation Methods Registry . . . . . . . . . . . . 11 | 7.2. CWT Confirmation Methods Registry . . . . . . . . . . . . 11 | |||
| 7.2.1. Registration Template . . . . . . . . . . . . . . . . 11 | 7.2.1. Registration Template . . . . . . . . . . . . . . . . 11 | |||
| 7.2.2. Initial Registry Contents . . . . . . . . . . . . . . 12 | 7.2.2. Initial Registry Contents . . . . . . . . . . . . . . 11 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 13 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 13 | 8.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Document History . . . . . . . . . . . . . . . . . . . . . . . . 14 | Document History . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| This specification describes how a CBOR Web Token (CWT) [RFC8392] can | This specification describes how a CBOR Web Token (CWT) [RFC8392] can | |||
| declare that the presenter of the CWT possesses a particular proof- | declare that the presenter of the CWT possesses a particular proof- | |||
| of-possession (PoP) key. Proof of possession of a key is also | of-possession (PoP) key. Proof of possession of a key is also | |||
| sometimes described as being the holder-of-key. This specification | sometimes described as being the holder-of-key. This specification | |||
| provides equivalent functionality to "Proof-of-Possession Key | provides equivalent functionality to "Proof-of-Possession Key | |||
| Semantics for JSON Web Tokens (JWTs)" [RFC7800], but using CBOR | Semantics for JSON Web Tokens (JWTs)" [RFC7800] but using CBOR | |||
| [RFC7049] and CWTs [RFC8392] rather than JSON [RFC8259] and JWTs | [RFC7049] and CWTs [RFC8392] rather than JSON [RFC8259] and JWTs | |||
| [JWT]. | [JWT]. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| skipping to change at page 3, line 26 ¶ | skipping to change at page 3, line 26 ¶ | |||
| These terms are defined by this specification: | These terms are defined by this specification: | |||
| Issuer | Issuer | |||
| Party that creates the CWT and binds the claims about the subject | Party that creates the CWT and binds the claims about the subject | |||
| to the proof-of-possession key. | to the proof-of-possession key. | |||
| Presenter | Presenter | |||
| Party that proves possession of a private key (for asymmetric key | Party that proves possession of a private key (for asymmetric key | |||
| cryptography) or secret key (for symmetric key cryptography) to a | cryptography) or secret key (for symmetric key cryptography) to a | |||
| recipient. | recipient of a CWT. | |||
| In context of OAuth this party is also called OAuth Client. | In the context of OAuth, this party is also called the OAuth | |||
| Client. | ||||
| Recipient | Recipient | |||
| Party that receives the CWT containing the proof-of-possession key | Party that receives the CWT containing the proof-of-possession key | |||
| information from the presenter. | information from the presenter. | |||
| In context of OAuth this party is also called OAuth Resource | In the context of OAuth, this party is also called the OAuth | |||
| Server. | Resource Server. | |||
| This specification provides examples in CBOR extended diagnostic | ||||
| notation, as defined in Appendix G of [RFC8610]. The examples | ||||
| include line breaks for readability. | ||||
| 3. Representations for Proof-of-Possession Keys | 3. Representations for Proof-of-Possession Keys | |||
| By including a "cnf" (confirmation) claim in a CWT, the issuer of the | By including a "cnf" (confirmation) claim in a CWT, the issuer of the | |||
| CWT declares that the presenter possesses a particular key and that | CWT declares that the presenter possesses a particular key and that | |||
| the recipient can cryptographically confirm that the presenter has | the recipient can cryptographically confirm that the presenter has | |||
| possession of that key. The value of the "cnf" claim is a CBOR map | possession of that key. The value of the "cnf" claim is a CBOR map | |||
| and the members of that map identify the proof-of-possession key. | and the members of that map identify the proof-of-possession key. | |||
| The presenter can be identified in one of several ways by the CWT, | The presenter can be identified in one of several ways by the CWT, | |||
| skipping to change at page 5, line 9 ¶ | skipping to change at page 5, line 19 ¶ | |||
| | Encrypted_COSE_Key | 2 | COSE_Encrypt or COSE_Encrypt0 | | | Encrypted_COSE_Key | 2 | COSE_Encrypt or COSE_Encrypt0 | | |||
| | kid | 3 | binary string | | | kid | 3 | binary string | | |||
| \--------------------+-----+-------------------------------/ | \--------------------+-----+-------------------------------/ | |||
| Figure 1: Summary of the cnf names, keys, and value types | Figure 1: Summary of the cnf names, keys, and value types | |||
| 3.2. Representation of an Asymmetric Proof-of-Possession Key | 3.2. Representation of an Asymmetric Proof-of-Possession Key | |||
| When the key held by the presenter is an asymmetric private key, the | When the key held by the presenter is an asymmetric private key, the | |||
| "COSE_Key" member is a COSE_Key [RFC8152] representing the | "COSE_Key" member is a COSE_Key [RFC8152] representing the | |||
| corresponding asymmetric public key. The following example (using | corresponding asymmetric public key. The following example | |||
| CBOR diagnostic notation) demonstrates such a declaration in the CWT | demonstrates such a declaration in the CWT Claims Set of a CWT: | |||
| Claims Set of a CWT: | ||||
| { | { | |||
| /iss/ 1 : "coaps://server.example.com", | /iss/ 1 : "coaps://server.example.com", | |||
| /aud/ 3 : "coaps://client.example.org", | /aud/ 3 : "coaps://client.example.org", | |||
| /exp/ 4 : 1361398824, | /exp/ 4 : 1879067471, | |||
| /cnf/ 8 :{ | /cnf/ 8 :{ | |||
| /COSE_Key/ 1 :{ | /COSE_Key/ 1 :{ | |||
| /kty/ 1 : /EC/ 2, | /kty/ 1 : /EC2/ 2, | |||
| /crv/ -1 : /P-256/ 1, | /crv/ -1 : /P-256/ 1, | |||
| /x/ -2 : h'd7cc072de2205bdc1537a543d53c60a6acb62eccd890c7fa27c9 | /x/ -2 : h'd7cc072de2205bdc1537a543d53c60a6acb62eccd890c7fa27c9 | |||
| e354089bbe13', | e354089bbe13', | |||
| /y/ -3 : h'f95e1d4b851a2cc80fff87d8e23f22afb725d535e515d020731e | /y/ -3 : h'f95e1d4b851a2cc80fff87d8e23f22afb725d535e515d020731e | |||
| 79a3b4e47120' | 79a3b4e47120' | |||
| } | } | |||
| } | } | |||
| } | } | |||
| The COSE_Key MUST contain the required key members for a COSE_Key of | The COSE_Key MUST contain the required key members for a COSE_Key of | |||
| skipping to change at page 5, line 46 ¶ | skipping to change at page 6, line 7 ¶ | |||
| explained in [RFC8392]. If the CWT is not encrypted, the symmetric | explained in [RFC8392]. If the CWT is not encrypted, the symmetric | |||
| key MUST be encrypted as described in Section 3.3. | key MUST be encrypted as described in Section 3.3. | |||
| 3.3. Representation of an Encrypted Symmetric Proof-of-Possession Key | 3.3. Representation of an Encrypted Symmetric Proof-of-Possession Key | |||
| When the key held by the presenter is a symmetric key, the | When the key held by the presenter is a symmetric key, the | |||
| "Encrypted_COSE_Key" member is an encrypted COSE_Key [RFC8152] | "Encrypted_COSE_Key" member is an encrypted COSE_Key [RFC8152] | |||
| representing the symmetric key encrypted to a key known to the | representing the symmetric key encrypted to a key known to the | |||
| recipient using COSE_Encrypt or COSE_Encrypt0. | recipient using COSE_Encrypt or COSE_Encrypt0. | |||
| The following example (using CBOR diagnostic notation, with | The following example illustrates a symmetric key that could | |||
| linebreaks for readability) illustrates a symmetric key that could | ||||
| subsequently be encrypted for use in the "Encrypted_COSE_Key" member: | subsequently be encrypted for use in the "Encrypted_COSE_Key" member: | |||
| { | { | |||
| /kty/ 1 : /Symmetric/ 4, | /kty/ 1 : /Symmetric/ 4, | |||
| /alg/ 3 : /HMAC256/ 5, | /alg/ 3 : /HMAC256//256/ 5, | |||
| /k/ -1 : h'6684523ab17337f173500e5728c628547cb37df | /k/ -1 : h'6684523ab17337f173500e5728c628547cb37df | |||
| e68449c65f885d1b73b49eae1' | e68449c65f885d1b73b49eae1' | |||
| } | } | |||
| The COSE_Key representation is used as the plaintext when encrypting | The COSE_Key representation is used as the plaintext when encrypting | |||
| the key. | the key. | |||
| The following example CWT Claims Set of a CWT (using CBOR diagnostic | The following example CWT Claims Set of a CWT illustrates the use of | |||
| notation, with linebreaks for readability) illustrates the use of an | an encrypted symmetric key as the "Encrypted_COSE_Key" member value: | |||
| encrypted symmetric key as the "Encrypted_COSE_Key" member value: | ||||
| { | { | |||
| /iss/ 1 : "coaps://server.example.com", | /iss/ 1 : "coaps://server.example.com", | |||
| /sub/ 2 : "24400320", | /sub/ 2 : "24400320", | |||
| /aud/ 3: "s6BhdRkqt3", | /aud/ 3: "s6BhdRkqt3", | |||
| /exp/ 4 : 1311281970, | /exp/ 4 : 1311281970, | |||
| /iat/ 5 : 1311280970, | /iat/ 5 : 1311280970, | |||
| /cnf/ 8 : { | /cnf/ 8 : { | |||
| /COSE_Encrypt0/ 2 : [ | /Encrypted_COSE_Key/ 2 : [ | |||
| /protected header/ h'A1010A' /{ \alg\ 1:10 \AES-CCM-16-64-128\}/, | /protected header/ h'A1010A' /{ \alg\ 1:10 \AES-CCM-16-64-128\}/, | |||
| /unprotected header/ { / iv / 5: h'636898994FF0EC7BFCF6D3F95B'}, | /unprotected header/ { / iv / 5: h'636898994FF0EC7BFCF6D3F95B'}, | |||
| /ciphertext/ h'0573318A3573EB983E55A7C2F06CADD0796C9E584F1D0E3E | /ciphertext/ h'0573318A3573EB983E55A7C2F06CADD0796C9E584F1D0E3E | |||
| A8C5B052592A8B2694BE9654F0431F38D5BBC8049FA7F13F' | A8C5B052592A8B2694BE9654F0431F38D5BBC8049FA7F13F' | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| The example above was generated with the key: | The example above was generated with the key: | |||
| h'6162630405060708090a0b0c0d0e0f10' | h'6162630405060708090a0b0c0d0e0f10' | |||
| 3.4. Representation of a Key ID for a Proof-of-Possession Key | 3.4. Representation of a Key ID for a Proof-of-Possession Key | |||
| The proof-of-possession key can also be identified by the use of a | The proof-of-possession key can also be identified using a Key ID | |||
| Key ID instead of communicating the actual key, provided the | instead of communicating the actual key, provided the recipient is | |||
| recipient is able to obtain the identified key using the Key ID. In | able to obtain the identified key using the Key ID. In this case, | |||
| this case, the issuer of a CWT declares that the presenter possesses | the issuer of a CWT declares that the presenter possesses a | |||
| a particular key and that the recipient can cryptographically confirm | particular key and that the recipient can cryptographically confirm | |||
| proof of possession of the key by the presenter by including a "cnf" | proof of possession of the key by the presenter by including a "cnf" | |||
| claim in the CWT whose value is a CBOR map with the CBOR map | claim in the CWT whose value is a CBOR map with the CBOR map | |||
| containing a "kid" member identifying the key. | containing a "kid" member identifying the key. | |||
| The following example (using CBOR diagnostic notation) demonstrates | The following example demonstrates such a declaration in the CWT | |||
| such a declaration in the CWT Claims Set of a CWT: | Claims Set of a CWT: | |||
| { | { | |||
| /iss/ 1 : "coaps://server.example.com", | /iss/ 1 : "coaps://as.example.com", | |||
| /aud/ 3 : "coaps://client.example.org", | /aud/ 3 : "coaps://resource.example.org", | |||
| /exp/ 4 : 1361398824, | /exp/ 4 : 1361398824, | |||
| /cnf/ 8 : { | /cnf/ 8 : { | |||
| /kid/ 2 : h'dfd1aa976d8d4575a0fe34b96de2bfad' | /kid/ 3 : h'dfd1aa976d8d4575a0fe34b96de2bfad' | |||
| } | } | |||
| } | } | |||
| The content of the "kid" value is application specific. For | The content of the "kid" value is application specific. For | |||
| instance, some applications may choose to use a cryptographic hash of | instance, some applications may choose to use a cryptographic hash of | |||
| the public key value as the "kid" value. | the public key value as the "kid" value. | |||
| Note that the use of a Key ID to identify a proof-of-possesion key | Note that the use of a Key ID to identify a proof-of-possession key | |||
| needs to be carefully circumscribed, as described below and in | needs to be carefully circumscribed, as described below and in | |||
| Section 6. Where the Key ID is not a cryptographic value derived | Section 6. In cases where the Key ID is not a cryptographic value | |||
| from the key or where all of the parties involved are not validating | derived from the key or where not all of the parties involved are | |||
| the cryptographic derivation, it is possible to get into situations | validating the cryptographic derivation, implementers should expect | |||
| where the same Key ID is being used for multiple keys. The | collisions, where different keys are assigned the same Key ID. | |||
| implication of this is that a recipient may have multiple keys known | Recipients of a CWT with a PoP key linked through only a Key ID | |||
| to it that have the same Key ID, and thus it might not know which | should be prepared to handle such situations. | |||
| proof-of-possession key is associated with the CWT. | ||||
| In the world of constrained Internet of Things (IoT) devices, there | In the world of constrained Internet of Things (IoT) devices, there | |||
| is frequently a restriction on the size of Key IDs, either because of | is frequently a restriction on the size of Key IDs, either because of | |||
| table constraints or a desire to keep message sizes small. These | table constraints or a desire to keep message sizes small. | |||
| restrictions are going to protocol dependent. For example, DTLS can | ||||
| use a Key ID of any size. However, if the key is being used with | ||||
| COSE encrypted message, then the length of the key needs to be | ||||
| minimized and may have a limit as small as one byte. | ||||
| Note that the value of a Key ID is not always the same for different | ||||
| parties. When sending a COSE encrypted message with a shared key, | ||||
| the Key ID may be different on both sides of the conversation, with | ||||
| the appropriate one being included in the message based on the | ||||
| recipient of the message. | ||||
| For symmetric keys, the Key ID is normally going to be generated by | ||||
| the CWT issuer. This means that enforcing a rule that Key ID values | ||||
| only match if CWTs have the same issuer works for matching Key IDs | ||||
| between CWTs. In this case, the issuer can ensure that there are no | ||||
| collisions between currently active symmetric keys for all CWTs that | ||||
| it has issued. This allows for a recipient to use the pair of issuer | ||||
| and Key ID for matching keys. | ||||
| For asymmetric keys, the Key ID value is normally going to be | ||||
| generated by the CWT recipient, thus the possibility of collisions is | ||||
| greater. For instance, recipients might start by assigning a Key ID | ||||
| of 0, given that Key IDs are frequently only needed to be unique and | ||||
| meaningful to the recipient. This problem can be addressed in a | ||||
| couple of different ways, depending on how the Key ID value is going | ||||
| to be used: | ||||
| o The issuer can assign a new unique Key ID the first time it sees | ||||
| the key. Depending on the protocol being used, the new value may | ||||
| then need to be transported to the presenter by the protocol used | ||||
| to issue CWTs. In this case, the rule of requiring that the | ||||
| issuer, Key ID pair be used for matching works. | ||||
| o The issuer can use a different confirmation method if a collision | ||||
| might be unavoidable. | ||||
| o A recipient can decide not to use a CWT based on a created Key ID | ||||
| if it does not fit the recipient's requirements. | ||||
| o If an issuer is going to use the Key ID confirmation method and is | ||||
| not going to guarantee that serial number uniqueness is going to | ||||
| be preserved, the recipient needs to have that information | ||||
| configured into it so that appropriate actions can be taken. | ||||
| 3.5. Specifics Intentionally Not Specified | 3.5. Specifics Intentionally Not Specified | |||
| Proof of possession is often demonstrated by having the presenter | Proof of possession is often demonstrated by having the presenter | |||
| sign a value determined by the recipient using the key possessed by | sign a value determined by the recipient using the key possessed by | |||
| the presenter. This value is sometimes called a "nonce" or a | the presenter. This value is sometimes called a "nonce" or a | |||
| "challenge". | "challenge". There are, however, also other means to demonstrate | |||
| freshness of the exchange and to link the proof-of-possession key to | ||||
| the participating parties, as demonstrated by various authentication | ||||
| and key exchange protocols. | ||||
| The means of communicating the nonce and the nature of its contents | The means of communicating the nonce and the nature of its contents | |||
| are intentionally not described in this specification, as different | are intentionally not described in this specification, as different | |||
| protocols will communicate this information in different ways. | protocols will communicate this information in different ways. | |||
| Likewise, the means of communicating the signed nonce is also not | Likewise, the means of communicating the signed nonce is also not | |||
| specified, as this is also protocol specific. | specified, as this is also protocol specific. | |||
| Note that another means of proving possession of the key when it is a | Note that other means of proving possession of the key exist, which | |||
| symmetric key is to encrypt the key to the recipient. The means of | could be used in conjunction with a CWT's confirmation key. | |||
| obtaining a key for the recipient is likewise protocol specific. | Applications making use of such alternate means are encouraged to | |||
| register them in the IANA "CWT Confirmation Methods" registry | ||||
| established in Section 7.2. | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| All of the security considerations that are discussed in [RFC8392] | All the security considerations that are discussed in [RFC8392] also | |||
| also apply here. In addition, proof of possession introduces its own | apply here. In addition, proof of possession introduces its own | |||
| unique security issues. Possessing a key is only valuable if it is | unique security issues. Possessing a key is only valuable if it is | |||
| kept secret. Appropriate means must be used to ensure that | kept secret. Appropriate means must be used to ensure that | |||
| unintended parties do not learn private key or symmetric key values. | unintended parties do not learn private key or symmetric key values. | |||
| Applications utilizing proof of possession SHOULD also utilize | Applications utilizing proof of possession SHOULD also utilize | |||
| audience restriction, as described in Section 4.1.3 of [JWT], as it | audience restriction, as described in Section 4.1.3 of [JWT], as it | |||
| provides additional protections. Audience restriction can be used by | provides additional protections. Audience restriction can be used by | |||
| recipients to reject messages intended for different recipients. | recipients to reject messages intended for different recipients. | |||
| A recipient might not understand the "cnf" claim. Applications that | A recipient might not understand the "cnf" claim. Applications that | |||
| require the proof-of-possession keys communicated with it to be | use proof-of-possession keys in CWTs with the "cnf" claim MUST ensure | |||
| understood and processed MUST ensure that the parts of this | that the parts of this specification that they use are implemented by | |||
| specification that they use are implemented. | the intended recipient. | |||
| CBOR Web Tokens with proof-of-possession keys are used in context of | CBOR Web Tokens with proof-of-possession keys are used in context of | |||
| an architecture, such as the ACE OAuth Framework | an architecture, such as the ACE OAuth Framework | |||
| [I-D.ietf-ace-oauth-authz], in which protocols are used by a | [I-D.ietf-ace-oauth-authz], in which protocols are used by a | |||
| presenter to request these tokens and to subsequently use them with | presenter to request these tokens and to subsequently use them with | |||
| recipients. To avoid replay attacks when the proof-of-possession | recipients. Proof of possession only provides the intended security | |||
| tokens are sent to presenters, a security protocol, which uses | gains when the proof is known to be current and not subject to replay | |||
| mechansims such as nonces or timestamps, has to be utilized. Note | attacks; security protocols using mechanisms such as nonces and | |||
| that a discussion of the architecture or specific protocols that CWT | timestamps can be used to avoid the risk of replay when performing | |||
| proof-of-possession tokens are used with is beyond the scope of this | proof of possession for a token. Note that a discussion of the | |||
| specification. | architecture or specific protocols that CWT proof-of-possession | |||
| tokens are used with is beyond the scope of this specification. | ||||
| As is the case with other information included in a CWT, it is | As is the case with other information included in a CWT, it is | |||
| necessary to apply data origin authentication and integrity | necessary to apply data origin authentication and integrity | |||
| protection (via a keyed message digest or a digital signature). Data | protection (via a keyed message digest or a digital signature). Data | |||
| origin authentication ensures that the recipient of the CWT learns | origin authentication ensures that the recipient of the CWT learns | |||
| about the entity that created the CWT since this will be important | about the entity that created the CWT since this will be important | |||
| for any policy decisions. Integrity protection prevents an adversary | for any policy decisions. Integrity protection prevents an adversary | |||
| from changing any elements conveyed within the CWT payload. Special | from changing any elements conveyed within the CWT payload. Special | |||
| care has to be applied when carrying symmetric keys inside the CWT | care has to be applied when carrying symmetric keys inside the CWT | |||
| since those not only require integrity protection but also | since those not only require integrity protection but also | |||
| confidentiality protection. | confidentiality protection (e.g., either by encrypting the "cnf" | |||
| element, as specified in Section 3.3, or by encrypting the whole CWT, | ||||
| as specified in [RFC8392]). | ||||
| As described in Section 6 (Key Identification) and Appendix D (Notes | As described in Section 6 (Key Identification) and Appendix D (Notes | |||
| on Key Selection) of [JWS], it is important to make explicit trust | on Key Selection) of [JWS], it is important to make explicit trust | |||
| decisions about the keys. Proof-of-possession signatures made with | decisions about the keys. Proof-of-possession signatures made with | |||
| keys not meeting the application's trust criteria MUST NOT be relied | keys not meeting the application's trust criteria MUST NOT be relied | |||
| upon. | upon. | |||
| 5. Privacy Considerations | 5. Privacy Considerations | |||
| A proof-of-possession key can be used as a correlation handle if the | A proof-of-possession key can be used as a correlation handle if the | |||
| same key is used with multiple parties. Thus, for privacy reasons, | same key is used on multiple occasions. Thus, for privacy reasons, | |||
| it is recommended that different proof-of-possession keys be used | it is recommended that different proof-of-possession keys be used | |||
| when interacting with different parties. | when interacting with different parties. | |||
| 6. Operational Considerations | 6. Operational Considerations | |||
| The use of CWTs with proof-of-possession keys requires additional | The use of CWTs with proof-of-possession keys requires additional | |||
| information to be shared between the involved parties in order to | information to be shared between the involved parties in order to | |||
| ensure correct processing. The recipient needs to be able to use | ensure correct processing. The recipient needs to be able to use | |||
| credentials to verify the authenticity, integrity, and potentially | credentials to verify the authenticity and integrity of the CWT. | |||
| the confidentiality of the CWT and its content. This requires the | Furthermore, the recipient may need to be able to decrypt either the | |||
| recipient to know information about the issuer. Likewise, there | whole CWT or the encrypted parts thereof (see Section 3.3). This | |||
| needs to be agreement between the issuer and the recipient about the | requires the recipient to know information about the issuer. | |||
| claims being used (which is also true of CWTs in general). | Likewise, there needs to be agreement between the issuer and the | |||
| recipient about the claims being used (which is also true of CWTs in | ||||
| general). | ||||
| When an issuer creates a CWT containing a Key ID claim, it needs to | When an issuer creates a CWT containing a Key ID claim, it needs to | |||
| make sure that it does not issue another CWT containing the same Key | make sure that it does not issue another CWT with different claims | |||
| ID with a different content, or for a different subject, within the | containing the same Key ID within the lifetime of the CWTs, unless | |||
| lifetime of the CWTs, unless intentionally desired. Failure to do so | intentionally desired. Failure to do so may allow one party to | |||
| may allow one party to impersonate another party, with the potential | impersonate another party, with the potential to gain additional | |||
| to gain additional privileges. Likewise, if PoP keys are used for | privileges. A case where such reuse of a Key ID would be intentional | |||
| is when a presenter obtains a CWT with different claims (e.g., | ||||
| extended scope) for the same recipient, but wants to continue using | ||||
| an existing security association (e.g., a DTLS session) bound to the | ||||
| key identified by the Key ID. Likewise, if PoP keys are used for | ||||
| multiple different kinds of CWTs in an application and the PoP keys | multiple different kinds of CWTs in an application and the PoP keys | |||
| are identified by Key IDs, care must be taken to keep the keys for | are identified by Key IDs, care must be taken to keep the keys for | |||
| the different kinds of CWTs segregated so that an attacker cannot | the different kinds of CWTs segregated so that an attacker cannot | |||
| cause the wrong PoP key to be used by using a valid Key ID for the | cause the wrong PoP key to be used by using a valid Key ID for the | |||
| wrong kind of CWT. | wrong kind of CWT. Using an audience restriction for the CWT would | |||
| be one strategy to mitigate this risk. | ||||
| 7. IANA Considerations | 7. IANA Considerations | |||
| The following registration procedure is used for all the registries | The following registration procedure is used for all the registries | |||
| established by this specification. | established by this specification. | |||
| Values are registered on a Specification Required [RFC8126] basis | Values are registered on a Specification Required [RFC8126] basis | |||
| after a three-week review period on the cwt-reg-review@ietf.org | after a three-week review period on the cwt-reg-review@ietf.org | |||
| mailing list, on the advice of one or more Designated Experts. | mailing list, on the advice of one or more Designated Experts. | |||
| However, to allow for the allocation of values prior to publication, | However, to allow for the allocation of values prior to publication, | |||
| skipping to change at page 10, line 49 ¶ | skipping to change at page 10, line 21 ¶ | |||
| the RFC Editor: The name of the mailing list should be determined in | the RFC Editor: The name of the mailing list should be determined in | |||
| consultation with the IESG and IANA. Suggested name: cwt-reg- | consultation with the IESG and IANA. Suggested name: cwt-reg- | |||
| review@ietf.org. ]] | review@ietf.org. ]] | |||
| Registration requests sent to the mailing list for review should use | Registration requests sent to the mailing list for review should use | |||
| an appropriate subject (e.g., "Request to Register CWT Confirmation | an appropriate subject (e.g., "Request to Register CWT Confirmation | |||
| Method: example"). Registration requests that are undetermined for a | Method: example"). Registration requests that are undetermined for a | |||
| period longer than 21 days can be brought to the IESG's attention | period longer than 21 days can be brought to the IESG's attention | |||
| (using the iesg@ietf.org mailing list) for resolution. | (using the iesg@ietf.org mailing list) for resolution. | |||
| Criteria that should be applied by the Designated Experts include | Designated Experts should determine whether a registration request | |||
| determining whether the proposed registration duplicates existing | contains enough information for the registry to be populated with the | |||
| functionality, determining whether it is likely to be of general | new values and whether the proposed new functionality already exists. | |||
| applicability or whether it is useful only for a single application, | In the case of an incomplete registration or an attempt to register | |||
| and evaluating the security properties of the item being registered | already existing functionality, the Designated Experts should ask for | |||
| and whether the registration makes sense. | corrections or reject the registration. | |||
| It is suggested that multiple Designated Experts be appointed who are | It is suggested that multiple Designated Experts be appointed who are | |||
| able to represent the perspectives of different applications using | able to represent the perspectives of different applications using | |||
| this specification in order to enable broadly informed review of | this specification in order to enable broadly informed review of | |||
| registration decisions. In cases where a registration decision could | registration decisions. In cases where a registration decision could | |||
| be perceived as creating a conflict of interest for a particular | be perceived as creating a conflict of interest for a particular | |||
| Expert, that Expert should defer to the judgment of the other | Expert, that Expert should defer to the judgment of the other | |||
| Experts. | Experts. | |||
| 7.1. CBOR Web Token Claims Registration | 7.1. CBOR Web Token Claims Registration | |||
| skipping to change at page 12, line 13 ¶ | skipping to change at page 11, line 36 ¶ | |||
| registrations for which the JWT Claim Name is listed as "N/A". | registrations for which the JWT Claim Name is listed as "N/A". | |||
| Confirmation Key: | Confirmation Key: | |||
| CBOR map key value for the confirmation method. | CBOR map key value for the confirmation method. | |||
| Confirmation Value Type(s): | Confirmation Value Type(s): | |||
| CBOR types that can be used for the confirmation method value. | CBOR types that can be used for the confirmation method value. | |||
| Change Controller: | Change Controller: | |||
| For Standards Track RFCs, list the "IESG". For others, give the | For Standards Track RFCs, list the "IESG". For others, give the | |||
| name of the responsible party. Other details (e.g., postal | name of the responsible party. | |||
| address, email address, home page URI) may also be included. | ||||
| Specification Document(s): | Specification Document(s): | |||
| Reference to the document or documents that specify the parameter, | Reference to the document or documents that specify the parameter, | |||
| preferably including URIs that can be used to retrieve copies of | preferably including URIs that can be used to retrieve copies of | |||
| the documents. An indication of the relevant sections may also be | the documents. An indication of the relevant sections may also be | |||
| included but is not required. | included but is not required. Note that the Designated Experts | |||
| and IANA must be able to obtain copies of the specification | ||||
| document(s) to perform their work. | ||||
| 7.2.2. Initial Registry Contents | 7.2.2. Initial Registry Contents | |||
| o Confirmation Method Name: "COSE_Key" | o Confirmation Method Name: "COSE_Key" | |||
| o Confirmation Method Description: COSE_Key Representing Public Key | o Confirmation Method Description: COSE_Key Representing Public Key | |||
| o JWT Confirmation Method Name: "jwk" | o JWT Confirmation Method Name: "jwk" | |||
| o Confirmation Key: 1 | o Confirmation Key: 1 | |||
| o Confirmation Value Type(s): COSE_Key structure | o Confirmation Value Type(s): COSE_Key structure | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 3.2 of [[ this document ]] | o Specification Document(s): Section 3.2 of [[ this document ]] | |||
| skipping to change at page 14, line 30 ¶ | skipping to change at page 14, line 5 ¶ | |||
| [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- | [RFC7800] Jones, M., Bradley, J., and H. Tschofenig, "Proof-of- | |||
| Possession Key Semantics for JSON Web Tokens (JWTs)", | Possession Key Semantics for JSON Web Tokens (JWTs)", | |||
| RFC 7800, DOI 10.17487/RFC7800, April 2016, | RFC 7800, DOI 10.17487/RFC7800, April 2016, | |||
| <https://www.rfc-editor.org/info/rfc7800>. | <https://www.rfc-editor.org/info/rfc7800>. | |||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", STD 90, RFC 8259, | Interchange Format", STD 90, RFC 8259, | |||
| DOI 10.17487/RFC8259, December 2017, | DOI 10.17487/RFC8259, December 2017, | |||
| <https://www.rfc-editor.org/info/rfc8259>. | <https://www.rfc-editor.org/info/rfc8259>. | |||
| [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data | ||||
| Definition Language (CDDL): A Notational Convention to | ||||
| Express Concise Binary Object Representation (CBOR) and | ||||
| JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, | ||||
| June 2019, <https://www.rfc-editor.org/info/rfc8610>. | ||||
| Acknowledgements | Acknowledgements | |||
| Thanks to the following people for their reviews of the | Thanks to the following people for their reviews of the | |||
| specification: Roman Danyliw, Michael Richardson, and Jim Schaad. | specification: Roman Danyliw, Benjamin Kaduk, Michael Richardson, and | |||
| Jim Schaad. | ||||
| Ludwig Seitz and Goeran Selander worked on this document as part of | Ludwig Seitz and Goeran Selander worked on this document as part of | |||
| the CelticPlus project CyberWI, with funding from Vinnova. | the CelticPlus project CyberWI, with funding from Vinnova. | |||
| Document History | Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -07 | ||||
| o Addressed Area Director review by Benjamin Kaduk. | ||||
| -06 | -06 | |||
| o Corrected nits identified by Roman Danyliw. | o Corrected nits identified by Roman Danyliw. | |||
| -05 | -05 | |||
| o Added text suggested by Jim Schaad describing considerations when | o Added text suggested by Jim Schaad describing considerations when | |||
| using the Key ID confirmation method. | using the Key ID confirmation method. | |||
| -04 | -04 | |||
| skipping to change at page 16, line 19 ¶ | skipping to change at page 16, line 4 ¶ | |||
| Email: ludwig@ri.se | Email: ludwig@ri.se | |||
| Goeran Selander | Goeran Selander | |||
| Ericsson AB | Ericsson AB | |||
| Faeroegatan 6 | Faeroegatan 6 | |||
| Kista 164 80 | Kista 164 80 | |||
| Sweden | Sweden | |||
| Email: goran.selander@ericsson.com | Email: goran.selander@ericsson.com | |||
| Samuel Erdtman | Samuel Erdtman | |||
| Spotify | Spotify | |||
| Email: erdtman@spotify.com | Email: erdtman@spotify.com | |||
| Hannes Tschofenig | Hannes Tschofenig | |||
| ARM Ltd. | Arm Ltd. | |||
| Hall in Tirol 6060 | Hall in Tirol 6060 | |||
| Austria | Austria | |||
| Email: Hannes.Tschofenig@arm.com | Email: Hannes.Tschofenig@arm.com | |||
| End of changes. 43 change blocks. | ||||
| 133 lines changed or deleted | 117 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||