[OAUTH-WG] JWT PoP Key Semantics WGLC followup 1 (was Re: refs and links in proof-of-possession-02 section 3.2)

In -03 the link is still back to the same doc and now to an anchor that doesn't exist, https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-03#section-7 rather than to the section in JWK/RFC7517 where I assume it's intended, http://tools.ietf.org/html/rfc7517#section-7 On Sun, Mar 22,

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 1 (was Re: refs and links in proof-of-possession-02 section 3.2)

The text is now correct and you’re right where the link should go, but this appears to be a bug in the rfcmarkup tool that automatically creates the HTMLized version from the .txt version. I’ll try to experiment to see if I can work around the bug – for

[OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)

I raised the below question during the WGLC back in March but never got any response. JWE does add nontrivial size overhead to the message and in the case that a JWT containing a symmetric confirmation key is already a JWE, the spec would seem to require two layers of encryption and the associated

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)

Yes encrypting the claim should only be required when the entire JWT is not encrypted. I will have a look. John B. > On Jul 30, 2015, at 3:12 PM, Brian Campbell > wrote: > > I raised the below question during the WGLC back in March but never got any > response. > > JWE does add nontrivial

[OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

Using individual claims for the different confirmation types would convey the same information with a reduced message size, likely simpler implementation, and avoid the need to establish a new registry. Seems like a no-brainer to me but maybe I'm overlooking something? There hasn't been much disc

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)

I'm fine updating the draft to say that the symmetric key can be carried in the "jwk" element in an unencrypted form if the JWT is itself encrypted. That's what you're looking for, right? -- Mike From: OAuth [mailto:oauth-boun...@

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

Part of the reasoning for using a structured confirmation claim, rather than flattening the confirmation claim into the top-level JWT claims set, is that a JWT may carry more than one conformation key or key descriptor, as was mentioned in Prague. For instance, imagine that an application is co

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)

Yes, I think that is reasonable. There is no point to double encrypting the key. > On Jul 30, 2015, at 4:57 PM, Mike Jones wrote: > > I’m fine updating the draft to say that the symmetric key can be carried in > the “jwk” element in an unencrypted form if the JWT is itself encrypted.

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)

Yep, that's what I'm looking for. Thanks. On Thu, Jul 30, 2015 at 1:57 PM, Mike Jones wrote: > I’m fine updating the draft to say that the symmetric key can be carried > in the “jwk” element in an unencrypted form if the JWT is itself > encrypted. That’s what you’re looking for, right? > > > >

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

I agree, flattening would be a bad direction. In Prague I was indicating that there may be more than one presenter for an assertion. The first presenter may be the OAuth client who presents it to a RS. That RS itself may also present that token as a client in token exchange to get a new access

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

Some replies inline but the gist is that I disagree. On Thu, Jul 30, 2015 at 2:17 PM, Mike Jones wrote: > Part of the reasoning for using a structured confirmation claim, rather > than flattening the confirmation claim into the top-level JWT claims set, > is that a JWT may carry more than one co

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

To really support that case where an initial AS/issuer wants to bind to two presenters, shouldn't the confirmation structure itself allow for multiple confirmation methods (i.e. be or allow for an array)? I don't actually think that is needed but the flexibility that's being argued for here would

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

Token binding might be a bad example. I can’t see why you would need something separate unless you are trying to do something like message signing and token binding. I guess that is theoretically posable. Typically I think token binding would use the normal cnf containing a JWK with the publi

Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 3 (was Re: confirmation model in proof-of-possession-02)

In my example you don’t really want to treat both the presenters as equivalent. Endpoints receiving the token should be able to tell which presenter gave it to them and apply policy on that. If you wanted them to be equivalent then an array would work, but that probably adds more confusion. J

Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02

I cannot find any disposition of comment (DoC) to this review that the WG Chairs asked. Nor I see much of them reflected in -03. The process I would imagine to be the editors to 1) Provide the DoC [accept, discuss, reject (with reasons)], 2) Open up series of discussions on discuss items and driv

Re: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02

I typically do respond to review comments line-by-line but ran out of time to do this before Prague. (I was doing things like working with Brian on the Token Exchange deck, preparing my remarks to the COSE WG, etc.) I’ll plan to do this sometime early next week, which is the soonest I’ll be ab