Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
draft-ietf-oauth-proof-of-possession-02
OAuth Working Group M. Jones
Internet-Draft Microsoft
Intended status: Standards Track J. Bradley
Expires: September 10, 2015 Ping Identity
H. Tschofenig
ARM Limited
March 9, 2015
Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
draft-ietf-oauth-proof-of-possession-02
Abstract
This specification defines how to express a declaration in a JSON Web
Token (JWT) that the presenter of the JWT possesses a particular key
and that the recipient can cryptographically confirm proof-of-
possession of the key by the presenter. This property is also
sometimes described as the presenter being a holder-of-key.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2015.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Jones, et al. Expires September 10, 2015 [Page 1]
Internet-Draft proof-of-possession for JWTs March 2015
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Proof-Of-Possession Representation . . . . . . . . . . . . . . 4
3.1. Proof-of-Possession of an Asymmetric Key . . . . . . . . . 5
3.2. Proof-of-Possession of a Symmetric Key . . . . . . . . . . 5
3.3. Proof-of-Possession Using a Key ID . . . . . . . . . . . . 6
3.4. Confirmation . . . . . . . . . . . . . . . . . . . . . . . 7
3.5. Specifics Intentionally Not Specified . . . . . . . . . . 7
4. Security Considerations . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
5.1. JSON Web Token Claims Registration . . . . . . . . . . . . 9
5.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 9
5.2. JWT Confirmation Methods Registry . . . . . . . . . . . . 10
5.2.1. Registration Template . . . . . . . . . . . . . . . . 10
5.2.2. Initial Registry Contents . . . . . . . . . . . . . . 10
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
6.1. Normative References . . . . . . . . . . . . . . . . . . . 11
6.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12
Appendix B. Document History . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12
Jones, et al. Expires September 10, 2015 [Page 2]
Internet-Draft proof-of-possession for JWTs March 2015
1. Introduction
This specification defines how to express a declaration in a JSON Web
Token (JWT) [JWT] that the presenter of the JWT possesses a
particular key and that the recipient can cryptographically confirm
proof-of-possession of the key by the presenter. This property is
also sometimes described as the presenter being a holder-of-key.
Envision the following two use cases. The first use case describes
the use of a symmetric proof-of-possession key and the second use
case uses an asymmetric proof-of-possession key.
An OAuth 2.0 authorization server generates a JWT and places an
encrypted symmetric key inside the newly introduced confirmation
Show full document text