There's similar wording in sec 3.3 <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.3> too that seems to suggest that the presenter is the one that makes the claim.
I think the presenter confirms the claim when it presents. It's the issuer that makes/asserts/declares the claim. No? "In this case, the presenter of a JWT declares that it possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter by including a "cnf" (confirmation) claim in the JWT whose value is a JSON object, with the JSON object containing a "kid" (key ID) member identifying the key." On Sun, Mar 22, 2015 at 8:42 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > My brain hurt trying to parse the first sentence/paragraph from section 3 > <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>: > > > "The presenter of a JWT declares that it possesses a particular key > and that the recipient can cryptographically confirm proof-of- > possession of the key by the presenter by including a "cnf" > (confirmation) claim in the JWT whose value is a JSON object, with > the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID) > member identifying the key." > > The issuer includes the "cnf" claim and makes the declaration not the > presenter. Sure, the presenter may be the issuer but that's a special case. > > Isn't it more accurate to say that it is the issuer who declares that the > presenter can confirm itself by some cryptographic proof-of-possession of > the key identified by the "cnf" claim? Or something more like that... > > > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
