[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Mike Jones]

With the CBOR Web Token 
(CWT) specification 
nearing completion, which provides the CBOR equivalent of JWTs, I thought that 
it was also time to introduce the CBOR equivalent of RFC 
7800, "Proof-of-Possession Key Semantics 
for JSON Web Tokens (JWTs)", so that applications using CWTs will have a 
standard representation for proof-of-possession keys.  I know that PoP keys are 
important to ACE applications, for instance.  I 
therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.

The specification is available at:

* https://tools.ietf.org/html/draft-jones-ace-cwt-proof-of-possession-00

An HTML-formatted version is also available at:

* 
http://self-issued.info/docs/draft-jones-ace-cwt-proof-of-possession-00.html

-- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1673 and as 
@selfissued.
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Ludwig Seitz]

On 2017-04-20 21:10, Mike Jones wrote:

With the CBOR Web Token (CWT)

specification nearing completion, which provides the CBOR equivalent of
JWTs, I thought that it was also time to introduce the CBOR equivalent
of RFC 7800 , “Proof-of-Possession
Key Semantics for JSON Web Tokens (JWTs)”, so that applications using
CWTs will have a standard representation for proof-of-possession keys.
I know that PoP keys are important to ACE
 applications, for instance.  I
therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.



Hello Mike,


I like your idea, actually I like it so much that I already did the same 
thing in draft-ietf-ace-oauth-authz some time ago.


I have no strong opinion about separating that part out into a separate 
document, and I think our two texts look relatively similar. I do 
however have concerns if this means delaying the progress of 
draft-ietf-ace-oauth-authz by introducing a normative dependency on a 
"younger" draft.


What does the WG think?


/Ludwig





--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Mike Jones]

Hi Ludwig.  Thanks for your note.



The background of me writing this draft is that I both knew of non-ACE CWT 
applications that need PoP keys as well as knowing that ACE needs them.  With 
CWT nearing completion, I wanted to make sure that we'd have the "cnf" claim 
ready to go both for ACE and other applications in a similar timeframe.  So I'd 
decided a few weeks ago to do a straight port of RFC 7800 into the CBOR/CWT 
world.



I'll say up front that Hannes mentioned that there was some "cnf" content in 
the ACE OAuth profile draft. If for no other reason than for the working group 
to have it as reference to compare to, I decided to proceed with the CWT 
version of RFC 7800, which is what I published.  I took almost all of the text 
straight from RFC 7800 and a few sentences in the IANA Considerations section 
from CWT.



Comparing the "cnf" content in 
https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-06 with the RFC 7800 
port, I found that we independently made similar choices, which is great.  
There are a few things missing in ace-oauth-authz, such as the registry 
language tying the claims to the equivalent JWT claims and the security 
considerations.  I believe those would be necessary to complete the work.  
ace-oauth-authz also contains some restrictions on PoP key usage that I believe 
for the general "cnf" definition, we don't want to and can't make.



My sense is that we could get the straight RFC 7800 port adopted and approved 
as an RFC within this calendar year - likely in a similar timeframe to when CWT 
becomes an RFC.  I think we should make that a goal, both for ACE and for 
non-ACE CWT applications needing PoP.  I say that because the IESG has already 
approved exactly this document, modulo syntax changes from JSON to CBOR.  I 
think that we could adopt this, go straight to WGLC, and see it finished with 
or soon after CWT is.



I know that, per the minutes 
https://www.ietf.org/proceedings/98/minutes/minutes-98-ace-00, people didn't 
feel that the ace-oauth-authz was ready for WGLC.  My sense is that because 
it's diverged from OAuth in some important ways (which I understand the reasons 
for), the WGLC, IETF last call, and IESG processes to approve it will be a lot 
more involved than those that it would take to approve the RFC 7800 port.  I 
say that because we'll have to justify all the decisions in a new security 
protocol both to the working group and also to SECDIR, GENART, OPSDIR, the IETF 
reviewers, and the IESG.  From experience, I know that they're thorough. ;-)



I'll say up front, that I'd be glad to add you as a co-editor of the RFC 7800 
port, Ludwig, both to acknowledge the good work you've already put in on the 
topic, and so you can help keep me honest in moving this forward expeditiously. 
 Would you be open to that possibility?



   Best wishes,

   -- Mike



-Original Message-
From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Ludwig Seitz
Sent: Thursday, April 20, 2017 11:44 PM
To: ace@ietf.org
Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)



On 2017-04-20 21:10, Mike Jones wrote:

> With the CBOR Web Token (CWT)

> <https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token>

> specification nearing completion, which provides the CBOR equivalent

> of JWTs, I thought that it was also time to introduce the CBOR

> equivalent of RFC 7800 <https://tools.ietf.org/html/rfc7800>,

> "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)", so

> that applications using CWTs will have a standard representation for 
> proof-of-possession keys.

> I know that PoP keys are important to ACE

> <https://tools.ietf.org/wg/ace/> applications, for instance.  I

> therefore took RFC 7800 and produced the CBOR/CWT equivalent of it.

>



Hello Mike,





I like your idea, actually I like it so much that I already did the same thing 
in draft-ietf-ace-oauth-authz some time ago.



I have no strong opinion about separating that part out into a separate 
document, and I think our two texts look relatively similar. I do however have 
concerns if this means delaying the progress of draft-ietf-ace-oauth-authz by 
introducing a normative dependency on a "younger" draft.



What does the WG think?





/Ludwig











--

Ludwig Seitz, PhD

Security Lab, RISE SICS

Phone +46(0)70-349 92 51



___

Ace mailing list

Ace@ietf.org<mailto:Ace@ietf.org>

https://www.ietf.org/mailman/listinfo/ace
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Ludwig Seitz]

On 2017-04-21 18:46, Mike Jones wrote:

Hi Ludwig.  Thanks for your note.



~snip~



I’ll say up front, that I’d be glad to add you as a co-editor of the RFC
7800 port, Ludwig, both to acknowledge the good work you’ve already put
in on the topic, and so you can help keep me honest in moving this
forward expeditiously.  Would you be open to that possibility?



   Best wishes,

   -- Mike


If the chairs agree with your assessment that this document can move 
forward fast (which I feel it could, but my experience is limited), I'm 
fine with such a solution.


How could I help progressing that document?

/Ludwig


--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Michael Richardson]

Come to the discussion late, cleaning my inbox.

section 3 says:

 "The value of the cnf claim is a JSON object and the members of that object
 identify the proof-of-possession key."

And somehow, I think that the claim ought to be a CBOR object?
Same for the paragraph of 3.4.

I found the next paragraph about whether the sub or iss is the presenter to
be obtuse.  Maybe it is lacking some ACE RS/C/AS terminology?

I am trying to figure out if the nonce-full mechanism that we describe
in draft-ietf-anima-bootstrapping-keyinfra or anima-voucher, and later to
be re-interpreted as CWT in draft-ietf-6tisch-dtsecurity-secure-join should
reference RFC 7800 and this document instead.


--
Michael Richardson , Sandelman Software Works
 -= IPv6 IoT consulting =-





signature.asc
Description: PGP signature
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Mike Jones]

Thanks for the catch. Yes, this should be a CBOR map. I failed to make this 
change when transforming RFC 7800 into this draft. I'll correct it in the next 
version.



– Mike



From: Michael Richardson<mailto:mcr+i...@sandelman.ca>
Sent: Monday, May 22, 2017 2:19 PM
To: Mike Jones<mailto:michael.jo...@microsoft.com>
Cc: ace@ietf.org<mailto:ace@ietf.org>
Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)



Come to the discussion late, cleaning my inbox.

section 3 says:

 "The value of the cnf claim is a JSON object and the members of that object
 identify the proof-of-possession key."

And somehow, I think that the claim ought to be a CBOR object?
Same for the paragraph of 3.4.

I found the next paragraph about whether the sub or iss is the presenter to
be obtuse.  Maybe it is lacking some ACE RS/C/AS terminology?

I am trying to figure out if the nonce-full mechanism that we describe
in draft-ietf-anima-bootstrapping-keyinfra or anima-voucher, and later to
be re-interpreted as CWT in draft-ietf-6tisch-dtsecurity-secure-join should
reference RFC 7800 and this document instead.


--
Michael Richardson , Sandelman Software Works
 -= IPv6 IoT consulting =-



___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

[Mike Jones]

Thanks, Michael.  My editors draft now corrects the JSON -> CBOR issue.

Jim Schaad also commented on the second paragraph.  The editors draft relaxes 
its requirements to give profiles or applications full flexibility on how to 
identify the presenter.

After giving the editors of draft-ietf-ace-oauth-authz a chance to have a look 
at the new draft, I plan to publish it in a day or so.

I'd be glad to talk with you in person in Prague about the needs of the new 
work you mention below and how to meet them.

Best wishes,
-- Mike

-Original Message-
From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael Richardson
Sent: Monday, May 22, 2017 11:17 AM
To: Mike Jones 
Cc: ace@ietf.org
Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)


Come to the discussion late, cleaning my inbox.

section 3 says:

 "The value of the cnf claim is a JSON object and the members of that object
 identify the proof-of-possession key."

And somehow, I think that the claim ought to be a CBOR object?
Same for the paragraph of 3.4.

I found the next paragraph about whether the sub or iss is the presenter to be 
obtuse.  Maybe it is lacking some ACE RS/C/AS terminology?

I am trying to figure out if the nonce-full mechanism that we describe in 
draft-ietf-anima-bootstrapping-keyinfra or anima-voucher, and later to be 
re-interpreted as CWT in draft-ietf-6tisch-dtsecurity-secure-join should 
reference RFC 7800 and this document instead.


--
Michael Richardson , Sandelman Software Works  -= IPv6 
IoT consulting =-



___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec fixing nits

[Mike Jones]

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification 
has been updated to address issues identified by Roman Danyliw while writing 
his shepherd review.  Thanks to Samuel Erdtman for fixing an incorrect example.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-06

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-06.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1949 and 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing review comments

[Mike Jones]

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification 
has been updated to address comments received since its initial publication.  
Changes were:

  *   Tracked CBOR Web Token (CWT) Claims Registry updates.
  *   Addressed review comments by Michael Richardson and Jim Schaad.
  *   Added co-authors Ludwig Seitz, Göran Selander, Erik Wahlström, Samuel 
Erdtman, and Hannes Tschofenig.

Thanks for the feedback received to date!

The specification is available at:

  *   https://tools.ietf.org/html/draft-jones-ace-cwt-proof-of-possession-01

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-jones-ace-cwt-proof-of-possession-01.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1711 and as 
@selfissued.
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing WGLC comments

[Mike Jones]

A new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) 
specification has been published that addresses the Working Group Last Call 
(WGLC) comments received.  Changes were:

  *   Addressed review comments by Jim Schaad, see 
https://www.ietf.org/mail-archive/web/ace/current/msg02798.html
  *   Removed unnecessary sentence in the introduction regarding the use any 
strings that could be case-sensitive.
  *   Clarified the terms Presenter and Recipient.
  *   Clarified text about the confirmation claim.

Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing 
for this version and to Jim Schaad and Roman Danyliw for their review comments.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-03

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-03.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1885 and as 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) is now RFC 8747

[Mike Jones]

I'm pleased to report that Proof-of-Possession Key Semantics for CBOR Web 
Tokens (CWTs) is now RFC 8747.  
The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) (which is 
defined by RFC 8392) that the presenter of the CWT possesses a particular 
proof-of-possession key. Being able to prove possession of a key is also 
sometimes described as being the holder-of-key. This specification provides 
equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web 
Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) 
and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens 
(JWTs).

This is one of a series of specifications, including CWT [RFC 
8392] - which mirrors JWT [RFC 
7519], in which we are intentionally 
bringing functionality that is available in JSON to the CBOR and IoT world.

   -- Mike

P.S.  This notice was also posted at https://self-issued.info/?p=2066 and as 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec using CBOR diagnostic notation

[Mike Jones]

Draft -01 of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) 
specification updates the examples to use CBOR diagnostic notation, thanks to 
Ludwig Seitz.  A table summarizing the "cnf" names, keys, and value types was 
added, thanks to Samuel Erdtman.  Finally, some of Jim Schaad's feedback on -00 
was addressed (with more to be addressed by the opening of IETF 100 in 
Singapore).

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-01

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-01.html

-- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1748 and as 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec with a few improvements

[Mike Jones]

A few local improvements have been made to the Proof-of-Possession Key 
Semantics for CBOR Web Tokens (CWTs) specification.  Changes were:

  *   Changed "typically" to "often" when describing ways of performing proof 
of possession.
  *   Changed b64 to hex encoding in an example.
  *   Changed to using the RFC 8174 boilerplate instead of the RFC 2119 
boilerplate.

Thanks to Samuel Erdtman for sharing the editing.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-02

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-02.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1783 and as 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec adding Key ID considerations

[Mike Jones]

Key ID confirmation method considerations suggested by Jim Schaad have been 
added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) 
specification.  Per discussions in the working group meeting in Bangkok, it's 
now time for the shepherd review.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-05

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-05.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=1938 and 
@selfissued.
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) sent to the RFC Editor

[Mike Jones]

I'm pleased to report that the Proof-of-Possession Key Semantics for CBOR Web 
Tokens (CWTs) specification is now technically stable and will shortly be an 
RFC - an Internet standard.  Specifically, it has now progressed to the RFC 
Editor queue, meaning that the only remaining step before finalization is 
editorial due diligence.  Thus, implementations can now utilize the draft 
specification with confidence that that breaking changes will not occur as it 
is finalized.

The abstract of the specification is:
This specification describes how to declare in a CBOR Web Token (CWT) (which is 
defined by RFC 8392) that the presenter of the CWT possesses a particular 
proof-of-possession key. Being able to prove possession of a key is also 
sometimes described as being the holder-of-key. This specification provides 
equivalent functionality to "Proof-of-Possession Key Semantics for JSON Web 
Tokens (JWTs)" (RFC 7800) but using Concise Binary Object Representation (CBOR) 
and CWTs rather than JavaScript Object Notation (JSON) and JSON Web Tokens 
(JWTs).

Thanks to the ACE working group for 
completing this important specification.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-11

An HTML-formatted version is also available at:

  *   
https://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-11.html

   -- Mike

P.S.  This note was also posted at https://self-issued.info/?p=2025 and as 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec adding Key ID considerations

[Jim Schaad]

Roman,

 

This version addresses this issue.  As I have stated in the past, I am not
happy with resolution of a large number of the issues that I have raised,
but I am not going to try and hold up this document.

 

Jim

 

 

 

From: Mike Jones  
Sent: Friday, November 9, 2018 6:10 PM
To: ace@ietf.org
Cc: Jim Schaad ; Roman Danyliw 
Subject: Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec
adding Key ID considerations

 

Key ID confirmation method considerations suggested by Jim Schaad have been
added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)
specification.  Per discussions in the working group meeting in Bangkok,
it's now time for the shepherd review.

 

The specification is available at:

*
https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-05

 

An HTML-formatted version is also available at:

*
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-05.html

 

   -- Mike

 

P.S.  This notice was also posted at http://self-issued.info/?p=1938 and
@selfissued  .

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Area Director review comments

[Mike Jones]

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification 
has been updated to address the Area Director review comments by Benjamin 
Kaduk.  Thanks to Ludwig Seitz and Hannes Tschofenig for their work on 
resolving the issues raised.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-07

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-07.html

   -- Mike

P.S.  This notice was also posted at http://self-issued.info/?p=2004 and 
@selfissued.
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing remaining Area Director comments

[Mike Jones]

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens 
(CWTs) specification has been published to address the remaining Area Director 
review comments by Benjamin Kaduk. Thanks to Ludwig Seitz for doing the bulk of 
the editing for this version.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-08

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-08.html

   -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=2010 and 
@selfissued.
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Gen-ART and SecDir reviews

[Mike Jones]

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens 
(CWTs) specification has been published addressing the Gen-ART and SecDir 
review comments.  Thanks to Christer Holmberg and Yoav Nir, respectively, for 
these useful reviews.

The specification is available at:

  *   https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-09

An HTML-formatted version is also available at:

  *   
http://self-issued.info/docs/draft-ietf-ace-cwt-proof-of-possession-09.html

   -- Mike

P.S.  This note was also posted at http://self-issued.info/?p=2016 and as 
@selfissued.

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace