< draft-ietf-oauth-pop-key-distribution-00.txt		draft-ietf-oauth-pop-key-distribution-01.txt >
	Network Working Group J. Bradley		Network Working Group J. Bradley
	Internet-Draft Ping Identity		Internet-Draft Ping Identity
	Intended status: Standards Track P. Hunt		Intended status: Standards Track P. Hunt
	Expires: January 22, 2015 Oracle Corporation		Expires: September 6, 2015 Oracle Corporation
	M. Jones		M. Jones
	Microsoft		Microsoft
	H. Tschofenig		H. Tschofenig
	ARM Limited		ARM Limited
	July 21, 2014		March 5, 2015
	OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key		OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key
	Distribution		Distribution
	draft-ietf-oauth-pop-key-distribution-00.txt		draft-ietf-oauth-pop-key-distribution-01.txt
	Abstract		Abstract
	RFC 6750 specified the bearer token concept for securing access to		RFC 6750 specified the bearer token concept for securing access to
	protected resources. Bearer tokens need to be protected in transit		protected resources. Bearer tokens need to be protected in transit
	as well as at rest. When a client requests access to a protected		as well as at rest. When a client requests access to a protected
	resource it hands-over the bearer token to the resource server.		resource it hands-over the bearer token to the resource server.
	The OAuth 2.0 Proof-of-Possession security concept extends bearer		The OAuth 2.0 Proof-of-Possession security concept extends bearer
	token security and requires the client to demonstrate possession of a		token security and requires the client to demonstrate possession of a
	skipping to change at page 1, line 46 ¶		skipping to change at page 1, line 46 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on January 22, 2015.		This Internet-Draft will expire on September 6, 2015.
	Copyright Notice		Copyright Notice
	Copyright (c) 2014 IETF Trust and the persons identified as the		Copyright (c) 2015 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	carefully, as they describe your rights and restrictions with respect		carefully, as they describe your rights and restrictions with respect
	to this document. Code Components extracted from this document must		to this document. Code Components extracted from this document must
	include Simplified BSD License text as described in Section 4.e of		include Simplified BSD License text as described in Section 4.e of
	the Trust Legal Provisions and are provided without warranty as		the Trust Legal Provisions and are provided without warranty as
	skipping to change at page 2, line 44 ¶		skipping to change at page 2, line 44 ¶
	7. Security Considerations . . . . . . . . . . . . . . . . . . . 13		7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
	8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14		8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
	9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15		9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
	10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15		10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
	10.1. Normative References . . . . . . . . . . . . . . . . . . 15		10.1. Normative References . . . . . . . . . . . . . . . . . . 15
	10.2. Informative References . . . . . . . . . . . . . . . . . 16		10.2. Informative References . . . . . . . . . . . . . . . . . 16
	Appendix A. Augmented Backus-Naur Form (ABNF) Syntax . . . . . . 17		Appendix A. Augmented Backus-Naur Form (ABNF) Syntax . . . . . . 17
	A.1. 'aud' Syntax . . . . . . . . . . . . . . . . . . . . . . 17		A.1. 'aud' Syntax . . . . . . . . . . . . . . . . . . . . . . 17
	A.2. 'key' Syntax . . . . . . . . . . . . . . . . . . . . . . 17		A.2. 'key' Syntax . . . . . . . . . . . . . . . . . . . . . . 17
	A.3. 'alg' Syntax . . . . . . . . . . . . . . . . . . . . . . 17		A.3. 'alg' Syntax . . . . . . . . . . . . . . . . . . . . . . 17
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
	1. Introduction		1. Introduction
	The work on additional security mechanisms beyond OAuth 2.0 bearer		The work on additional security mechanisms beyond OAuth 2.0 bearer
	tokens [12] is motivated in [17], which also outlines use cases,		tokens [12] is motivated in [17], which also outlines use cases,
	requirements and an architecture. This document defines the ability		requirements and an architecture. This document defines the ability
	for the client indicate support for this functionality and to obtain		for the client indicate support for this functionality and to obtain
	keying material from the authorization server. As an outcome of the		keying material from the authorization server. As an outcome of the
	exchange between the client and the authorization server is an access		exchange between the client and the authorization server is an access
	token that is bound to keying material. Clients that access		token that is bound to keying material. Clients that access
	skipping to change at page 16, line 9 ¶		skipping to change at page 16, line 9 ¶
	6749, October 2012.		6749, October 2012.
	[3] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform		[3] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
	Resource Identifier (URI): Generic Syntax", STD 66, RFC		Resource Identifier (URI): Generic Syntax", STD 66, RFC
	3986, January 2005.		3986, January 2005.
	[4] Dierks, T. and E. Rescorla, "The Transport Layer Security		[4] Dierks, T. and E. Rescorla, "The Transport Layer Security
	(TLS) Protocol Version 1.2", RFC 5246, August 2008.		(TLS) Protocol Version 1.2", RFC 5246, August 2008.
	[5] Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web-		[5] Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web-
	key-31 (work in progress), July 2014.		key-41 (work in progress), January 2015.
	[6] Jones, M., Bradley, J., and N. Sakimura, "JSON Web		[6] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
	Signature (JWS)", draft-ietf-jose-json-web-signature-31		Signature (JWS)", draft-ietf-jose-json-web-signature-41
	(work in progress), July 2014.		(work in progress), January 2015.
	[7] Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose-		[7] Jones, M., "JSON Web Algorithms (JWA)", draft-ietf-jose-
	json-web-algorithms-31 (work in progress), July 2014.		json-web-algorithms-40 (work in progress), January 2015.
	[8] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",		[8] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
	draft-ietf-jose-json-web-encryption-31 (work in progress),		draft-ietf-jose-json-web-encryption-40 (work in progress),
	July 2014.		January 2015.
	[9] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token		[9] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
	(JWT)", draft-ietf-oauth-json-web-token-25 (work in		(JWT)", draft-ietf-oauth-json-web-token-32 (work in
	progress), July 2014.		progress), December 2014.
	[10] Jones, M., Bradley, J., and H. Tschofenig, "Proof-Of-		[10] Jones, M., Bradley, J., and H. Tschofenig, "Proof-Of-
	Possession Semantics for JSON Web Tokens (JWTs)", draft-		Possession Semantics for JSON Web Tokens (JWTs)", draft-
	jones-oauth-proof-of-possession-02 (work in progress),		jones-oauth-proof-of-possession-02 (work in progress),
	July 2014.		July 2014.
	[11] Jones, M., "JSON Web Key (JWK) Thumbprint", draft-jones-		[11] Jones, M., "JSON Web Key (JWK) Thumbprint", draft-jones-
	jose-jwk-thumbprint-00 (work in progress), April 2014.		jose-jwk-thumbprint-01 (work in progress), July 2014.
	10.2. Informative References		10.2. Informative References
	[12] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization		[12] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
	Framework: Bearer Token Usage", RFC 6750, October 2012.		Framework: Bearer Token Usage", RFC 6750, October 2012.
	[13] Crocker, D. and P. Overell, "Augmented BNF for Syntax		[13] Crocker, D. and P. Overell, "Augmented BNF for Syntax
	Specifications: ABNF", STD 68, RFC 5234, January 2008.		Specifications: ABNF", STD 68, RFC 5234, January 2008.
	[14] Campbell, B., Mortimore, C., Jones, M., and Y. Goland,		[14] Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
	"Assertion Framework for OAuth 2.0 Client Authentication		"Assertion Framework for OAuth 2.0 Client Authentication
	and Authorization Grants", draft-ietf-oauth-assertions-16		and Authorization Grants", draft-ietf-oauth-assertions-18
	(work in progress), April 2014.		(work in progress), October 2014.
	[15] Sakimura, N., Bradley, J., and N. Agarwal, "OAuth		[15] Sakimura, N., Bradley, J., and N. Agarwal, "OAuth
	Symmetric Proof of Posession for Code Extension", draft-		Symmetric Proof of Posession for Code Extension", draft-
	sakimura-oauth-tcse-03 (work in progress), April 2014.		sakimura-oauth-tcse-03 (work in progress), April 2014.
	[16] Richer, J., Jones, M., Bradley, J., Machulak, M., and P.		[16] ietf@justin.richer.org, i., Jones, M., Bradley, J.,
	Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",		Machulak, M., and P. Hunt, "OAuth 2.0 Dynamic Client
	draft-ietf-oauth-dyn-reg-18 (work in progress), July 2014.		Registration Protocol", draft-ietf-oauth-dyn-reg-24 (work
			in progress), February 2015.
	[17] Hunt, P., Richer, J., Mills, W., Mishra, P., and H.		[17] Hunt, P., Richer, J., Mills, W., Mishra, P., and H.
	Tschofenig, "OAuth 2.0 Proof-of-Possession (PoP) Security		Tschofenig, "OAuth 2.0 Proof-of-Possession (PoP) Security
	Architecture", draft-hunt-oauth-pop-architecture-02 (work		Architecture", draft-hunt-oauth-pop-architecture-02 (work
	in progress), June 2014.		in progress), June 2014.
	[18] Richer, J., "OAuth Token Introspection", draft-richer-		[18] Richer, J., "OAuth Token Introspection", draft-richer-
	oauth-introspection-06 (work in progress), July 2014.		oauth-introspection-06 (work in progress), July 2014.
	[19] Richer, J., Bradley, J., and H. Tschofenig, "A Method for		[19] Richer, J., Bradley, J., and H. Tschofenig, "A Method for
End of changes. 14 change blocks.
	20 lines changed or deleted		21 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/