| < draft-ietf-oauth-proof-of-possession-08.txt | draft-ietf-oauth-proof-of-possession-09.txt > | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | OAuth Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track J. Bradley | Intended status: Standards Track J. Bradley | |||
| Expires: June 2, 2016 Ping Identity | Expires: June 15, 2016 Ping Identity | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Limited | ARM Limited | |||
| November 30, 2015 | December 13, 2015 | |||
| Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) | Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) | |||
| draft-ietf-oauth-proof-of-possession-08 | draft-ietf-oauth-proof-of-possession-09 | |||
| Abstract | Abstract | |||
| This specification defines how to express a declaration in a JSON Web | This specification defines how to express a declaration in a JSON Web | |||
| Token (JWT) that the presenter of the JWT possesses a particular key | Token (JWT) that the presenter of the JWT possesses a particular key | |||
| and that the recipient can cryptographically confirm proof-of- | and that the recipient can cryptographically confirm proof-of- | |||
| possession of the key by the presenter. Being able to prove | possession of the key by the presenter. Being able to prove | |||
| possession of a key is also sometimes described as the presenter | possession of a key is also sometimes described as the presenter | |||
| being a holder-of-key. | being a holder-of-key. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 2, 2016. | This Internet-Draft will expire on June 15, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2015 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 7, line 29 ¶ | skipping to change at page 7, line 29 ¶ | |||
| 3.2. Representation of an Asymmetric Proof-of-Possession Key | 3.2. Representation of an Asymmetric Proof-of-Possession Key | |||
| When the key held by the presenter is an asymmetric private key, the | When the key held by the presenter is an asymmetric private key, the | |||
| "jwk" member is a JSON Web Key (JWK) [JWK] representing the | "jwk" member is a JSON Web Key (JWK) [JWK] representing the | |||
| corresponding asymmetric public key. The following example | corresponding asymmetric public key. The following example | |||
| demonstrates such a declaration in the JWT Claims Set of a JWT: | demonstrates such a declaration in the JWT Claims Set of a JWT: | |||
| { | { | |||
| "iss": "https://server.example.com", | "iss": "https://server.example.com", | |||
| "aud": "https://client.example.org", | "aud": "https://client.example.org", | |||
| "exp": "1361398824", | "exp": 1361398824, | |||
| "cnf":{ | "cnf":{ | |||
| "jwk":{ | "jwk":{ | |||
| "kty": "EC", | "kty": "EC", | |||
| "use": "sig", | "use": "sig", | |||
| "crv": "P-256", | "crv": "P-256", | |||
| "x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM", | "x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM", | |||
| "y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA" | "y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA" | |||
| } | } | |||
| } | } | |||
| } | } | |||
| skipping to change at page 9, line 23 ¶ | skipping to change at page 9, line 23 ¶ | |||
| (confirmation) claim in the JWT whose value is a JSON object, with | (confirmation) claim in the JWT whose value is a JSON object, with | |||
| the JSON object containing a "kid" (key ID) member identifying the | the JSON object containing a "kid" (key ID) member identifying the | |||
| key. | key. | |||
| The following example demonstrates such a declaration in the JWT | The following example demonstrates such a declaration in the JWT | |||
| Claims Set of a JWT: | Claims Set of a JWT: | |||
| { | { | |||
| "iss": "https://server.example.com", | "iss": "https://server.example.com", | |||
| "aud": "https://client.example.org", | "aud": "https://client.example.org", | |||
| "exp": "1361398824", | "exp": 1361398824, | |||
| "cnf":{ | "cnf":{ | |||
| "kid": "dfd1aa97-6d8d-4575-a0fe-34b96de2bfad" | "kid": "dfd1aa97-6d8d-4575-a0fe-34b96de2bfad" | |||
| } | } | |||
| } | } | |||
| The content of the "kid" value is application specific. For | The content of the "kid" value is application specific. For | |||
| instance, some applications may choose to use a JWK Thumbprint | instance, some applications may choose to use a JWK Thumbprint | |||
| [JWK.Thumbprint] value as the "kid" value. | [JWK.Thumbprint] value as the "kid" value. | |||
| 3.5. Representation of a URL for a Proof-of-Possession Key | 3.5. Representation of a URL for a Proof-of-Possession Key | |||
| skipping to change at page 10, line 9 ¶ | skipping to change at page 10, line 9 ¶ | |||
| Transport Layer Security (TLS) [RFC5246]; and the identity of the | Transport Layer Security (TLS) [RFC5246]; and the identity of the | |||
| server MUST be validated, as per Section 6 of RFC 6125 [RFC6125]. | server MUST be validated, as per Section 6 of RFC 6125 [RFC6125]. | |||
| The following example demonstrates such a declaration in the JWT | The following example demonstrates such a declaration in the JWT | |||
| Claims Set of a JWT: | Claims Set of a JWT: | |||
| { | { | |||
| "iss": "https://server.example.com", | "iss": "https://server.example.com", | |||
| "sub": "17760704", | "sub": "17760704", | |||
| "aud": "https://client.example.org", | "aud": "https://client.example.org", | |||
| "exp": "1440804813", | "exp": 1440804813, | |||
| "cnf":{ | "cnf":{ | |||
| "jku": "https://keys.example.net/pop-keys.json", | "jku": "https://keys.example.net/pop-keys.json", | |||
| "kid": "2015-08-28" | "kid": "2015-08-28" | |||
| } | } | |||
| } | } | |||
| 3.6. Specifics Intentionally Not Specified | 3.6. Specifics Intentionally Not Specified | |||
| Proof-of-possession is typically demonstrated by having the presenter | Proof-of-possession is typically demonstrated by having the presenter | |||
| sign a value determined by the recipient using the key possessed by | sign a value determined by the recipient using the key possessed by | |||
| skipping to change at page 15, line 41 ¶ | skipping to change at page 15, line 41 ¶ | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| The authors wish to thank Brian Campbell, Kepeng Li, James Manger, | The authors wish to thank Brian Campbell, Kepeng Li, James Manger, | |||
| Kathleen Moriarty, Justin Richer, and Nat Sakimura for their reviews | Kathleen Moriarty, Justin Richer, and Nat Sakimura for their reviews | |||
| of the specification. | of the specification. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC Editor before publication as an RFC ]] | [[ to be removed by the RFC Editor before publication as an RFC ]] | |||
| -09 | ||||
| o Removed erroneous quotation marks around numeric "exp" claim | ||||
| values in examples. | ||||
| -08 | -08 | |||
| o Added security consideration about also utilizing audience | o Added security consideration about also utilizing audience | |||
| restriction. | restriction. | |||
| -07 | -07 | |||
| o Addressed review comments by Hannes Tschofenig, Kathleen Moriarty, | o Addressed review comments by Hannes Tschofenig, Kathleen Moriarty, | |||
| and Justin Richer. Changes were: | and Justin Richer. Changes were: | |||
| End of changes. 8 change blocks. | ||||
| 7 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||