I believe that I’ve now responded line-by-line to all the WGLC comments
received. If I missed any from any of you, please let me know.
After discussion of my responses this week, unless disagreements arise, I’ll
plan to publish -04 next week to incorporate the remaining resolutions that
have b
Replies inline…
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, March 25, 2015 6:38 AM
To: oauth
Subject: [OAUTH-WG] Review Comments for draft-ietf-oauth-proof-of-possession-02
Dear OAuthers:
Here is my belated review comments on draft-ietf-oauth-proof-of-p
Hi Nat,
Per my response to Justin, the title and introduction were revised to address
the confusion. It did not introduce the term “Registered token”, since this
isn’t standard terminology that I’m aware of, and would therefore likely cause
more readability issues than it would solve. Use of
Hi Justin,
-03 was renamed to "Proof-of-Possession Key Semantics for JSON Web Tokens
(JWTs)" to eliminate this confusion. The introduction was also revised to
address related points of confusion.
Thanks again for your review comments.
-- Mike
-Original Mes
There didn’t seem to be support for having cnf contain array values. Instead,
as discussed in the thread “[OAUTH-WG] JWT PoP Key Semantics WGLC followup 3
(was Re: confirmation model in proof-of-possession-02)”, if different keys are
being confirmed, they can define additional claims other than
The second paragraph of
https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-03#section-3
now provides a more general description of ways that applications may choose to
identify the presenter, including use of the “azp” (authorized party) claim.
This is the approach supported by the current draft. Thanks again for your
review comments.
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura
Sent: Monday, March 23, 2015 12:11 AM
To: Brian Campbell
Cc: oaut
-03 separated the "jwk" and "jwe" confirmation members; the former represents a
public key as a JWK and the latter represents a symmetric key as a JWE
encrypted JWK. (Yes, in -04 we’ll allow “jwk” to be a symmetric key, provided
the JWT itself is encrypted.)
As discussed in the thread “[OAUTH-WG] JWT PoP Key Semantics WGLC followup 2
(was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)”, I
will update the draft to say that the symmetric key can be carried in the “jwk”
element in an unencrypted form if the JWT is itself encrypt
A key thumbprint value can be used as the value of the “cnf” “kid” member to
achieve this.
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Sunday, March 22, 2015 11:41 PM
To: oauth
Subject: [OAUTH-W
In -03, the section number was corrected to 7. The internal link error is a
bug in the rfcmarkup tool that converts the .txt version to HTML, and is not a
bug in the actual specification text.
-- Mike
From: OAuth [mailto:oauth-boun...
This was simplified in -3 in a way that removes the abused MUST. It now reads:
At least one of the "sub" and "iss" claims MUST be present in
the JWT. Some use cases may require that both be present.
-- Mike
From: OAuth [mailto:oa
This was revised in -03 to correctly distinguish between the issuer and
presenter roles. It now reads:
The issuer of a JWT declares that the presenter possesses a
particular key and that the recipient can cryptographically confirm
proof-of-possession of the key by the presenter by includ
The confusing language about “conceptually similar to a certificate” was
removed from -03.
Thanks again for your review comments.
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Sunday, March 22, 2
-03 updated the language that formerly assumed that the issuer was an OAuth 2.0
authorization server.
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Sunday, March 22, 2015 6:14 PM
To: oauth
Subject
15 matches
Mail list logo
