%% You should probably cite draft-ietf-oauth-pop-key-distribution instead of this I-D. @techreport{bradley-oauth-pop-key-distribution-01, number = {draft-bradley-oauth-pop-key-distribution-01}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-bradley-oauth-pop-key-distribution/01/}, author = {John Bradley and Phil Hunt and Michael B. Jones and Hannes Tschofenig}, title = {{OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution}}, pagetotal = 18, year = 2014, month = jun, day = 26, abstract = {RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource. This document describes how the client obtains this keying material from the authorization server.}, }