Skip to main content

OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
draft-ietf-oauth-pop-architecture-00

The information below is for an old version of the document.
Document Type Expired Internet-Draft (oauth WG)
Authors Phil Hunt , Justin Richer , William Mills , Prateek Mishra , Hannes Tschofenig
Last updated 2015-01-22 (Latest revision 2014-07-21)
Replaces draft-hunt-oauth-pop-architecture
Stream Internet Engineering Task Force (IETF)
Formats
Expired & archived
plain text xml htmlized pdfized bibtex
Reviews
Stream WG state WG Document
Document shepherd Derek Atkins
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to "Derek Atkins" <derek@ihtfp.com>
This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at:
https://www.ietf.org/archive/id/draft-ietf-oauth-pop-architecture-00.txt

Abstract

The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must to be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism.

Authors

Phil Hunt
Justin Richer
William Mills
Prateek Mishra
Hannes Tschofenig

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)