%% You should probably cite draft-ietf-oauth-pop-architecture instead of this I-D.
@techreport{hunt-oauth-pop-architecture-02,
    number =    {draft-hunt-oauth-pop-architecture-02},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-hunt-oauth-pop-architecture/02/},
    author =    {Phil Hunt and Justin Richer and William Mills and Prateek Mishra and Hannes Tschofenig},
    title =     {{OAuth 2.0 Proof-of-Possession (PoP) Security Architecture}},
    pagetotal = 23,
    year =      2014,
    month =     jun,
    day =       26,
    abstract =  {The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must to be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism.},
}