Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)
RFC 8747

Document Type RFC - Proposed Standard (March 2020; No errata)
Last updated 2020-03-09
Replaces draft-jones-ace-cwt-proof-of-possession
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Roman Danyliw
Shepherd write-up Show (last changed 2019-02-25)
IESG IESG state RFC 8747 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Benjamin Kaduk
Send notices to (None)
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack


Internet Engineering Task Force (IETF)                          M. Jones
Request for Comments: 8747                                     Microsoft
Category: Standards Track                                       L. Seitz
ISSN: 2070-1721                                                Combitech
                                                             G. Selander
                                                             Ericsson AB
                                                              S. Erdtman
                                                                 Spotify
                                                           H. Tschofenig
                                                                Arm Ltd.
                                                              March 2020

      Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

Abstract

   This specification describes how to declare in a CBOR Web Token (CWT)
   (which is defined by RFC 8392) that the presenter of the CWT
   possesses a particular proof-of-possession key.  Being able to prove
   possession of a key is also sometimes described as being the holder-
   of-key.  This specification provides equivalent functionality to
   "Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)" (RFC
   7800) but using Concise Binary Object Representation (CBOR) and CWTs
   rather than JavaScript Object Notation (JSON) and JSON Web Tokens
   (JWTs).

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8747.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
   2.  Terminology
   3.  Representations for Proof-of-Possession Keys
     3.1.  Confirmation Claim
     3.2.  Representation of an Asymmetric Proof-of-Possession Key
     3.3.  Representation of an Encrypted Symmetric
           Proof-of-Possession Key
     3.4.  Representation of a Key ID for a Proof-of-Possession Key
     3.5.  Specifics Intentionally Not Specified
   4.  Security Considerations
   5.  Privacy Considerations
   6.  Operational Considerations
   7.  IANA Considerations
     7.1.  CBOR Web Token Claims Registration
       7.1.1.  Registry Contents
     7.2.  CWT Confirmation Methods Registry
       7.2.1.  Registration Template
       7.2.2.  Initial Registry Contents
   8.  References
     8.1.  Normative References
     8.2.  Informative References
   Acknowledgements
   Authors' Addresses

1.  Introduction

   This specification describes how a CBOR Web Token (CWT) [RFC8392] can
   declare that the presenter of the CWT possesses a particular proof-
   of-possession (PoP) key.  Proof of possession of a key is also
   sometimes described as being the holder-of-key.  This specification
   provides equivalent functionality to "Proof-of-Possession Key
   Semantics for JSON Web Tokens (JWTs)" [RFC7800] but using Concise
   Binary Object Representation (CBOR) [RFC7049] and CWTs [RFC8392]
   rather than JavaScript Object Notation (JSON) [RFC8259] and JSON Web
   Tokens (JWTs) [JWT].

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This specification uses terms defined in the CBOR Web Token (CWT)
   [RFC8392], CBOR Object Signing and Encryption (COSE) [RFC8152], and
   Concise Binary Object Representation (CBOR) [RFC7049] specifications.

   These terms are defined by this specification:

   Issuer
      Party that creates the CWT and binds the claims about the subject
      to the proof-of-possession key.

   Presenter
      Party that proves possession of a private key (for asymmetric key
      cryptography) or secret key (for symmetric key cryptography) to a
Show full document text