Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Sat, 12 Apr 2014 20:34:23 -0700 

Is having multiple confirmation keys a common case?  I'd rather we "make simple 
things simple" than build the most general solution possible.  If an 
application really needs multiple confirmation keys, it can always defined a 
"jwks" element and the handling rules for it, and go for it...

                                                            -- Mike

From: Chuck Mortimore [mailto:[email protected]]
Sent: Saturday, April 12, 2014 6:12 PM
To: Mike Jones
Cc: [email protected]
Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)

Good start here Mike!

One quick question - I see the "cnf" member is defined as a JWK.  Why not a JWK 
Set?    I could see use-cases for binding in multiple keys.

-cmort



On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones 
<[email protected]<mailto:[email protected]>> wrote:
I've written a concise Internet-Draft on proof-of-possession for JWTs with John 
Bradley and Hannes Tschofenig.  Quoting from the abstract:

This specification defines how to express a declaration in a JSON Web Token 
(JWT) that the presenter of the JWT possesses a particular key and that the 
recipient can cryptographically confirm proof-of-possession of the key by the 
presenter. This property is also sometimes described as the presenter being a 
holder-of-key.

This specification intentionally does not specify the means of communicating 
the proof-of-possession JWT, nor the messages used to exercise the proof key, 
as these are necessarily application-specific.  Rather, this specification 
defines a proof-of-possession JWT data structure to be used by other 
specifications that do define those things.

The specification is available at:

*        http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00

An HTML formatted version is available at:

*        
http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html

                                                            -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=1210 and as 
@selfissued.


_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to