Can you sketch out what data structures you'd ideally use for your scenario and what the elements mean?
From: Chuck Mortimore [mailto:[email protected]] Sent: Saturday, April 12, 2014 8:39 PM To: Mike Jones Cc: [email protected] Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Not sure it it's common yet. The scenario I'm exploring is a client that is paired with a server. For example, a mobile app that's an OpenID Connect client that is sharing it's ID Token with the server. Both the client and server want to be able to prove possession without sharing a private key. -cmort On Sat, Apr 12, 2014 at 8:32 PM, Mike Jones <[email protected]<mailto:[email protected]>> wrote: Is having multiple confirmation keys a common case? I'd rather we "make simple things simple" than build the most general solution possible. If an application really needs multiple confirmation keys, it can always defined a "jwks" element and the handling rules for it, and go for it... -- Mike From: Chuck Mortimore [mailto:[email protected]<mailto:[email protected]>] Sent: Saturday, April 12, 2014 6:12 PM To: Mike Jones Cc: [email protected]<mailto:[email protected]> Subject: Re: [OAUTH-WG] Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) Good start here Mike! One quick question - I see the "cnf" member is defined as a JWK. Why not a JWK Set? I could see use-cases for binding in multiple keys. -cmort On Tue, Apr 1, 2014 at 8:36 PM, Mike Jones <[email protected]<mailto:[email protected]>> wrote: I've written a concise Internet-Draft on proof-of-possession for JWTs with John Bradley and Hannes Tschofenig. Quoting from the abstract: This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. This property is also sometimes described as the presenter being a holder-of-key. This specification intentionally does not specify the means of communicating the proof-of-possession JWT, nor the messages used to exercise the proof key, as these are necessarily application-specific. Rather, this specification defines a proof-of-possession JWT data structure to be used by other specifications that do define those things. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-proof-of-possession-00 An HTML formatted version is available at: * http://self-issued.info/docs/draft-jones-oauth-proof-of-possession-00.html -- Mike P.S. This note was also posted at http://self-issued.info/?p=1210 and as @selfissued. _______________________________________________ OAuth mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
