I've written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. Quoting from the abstract:
This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key. This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific. Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=1210 and as @selfissued.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
