Agree that this language isn’t clear. The presenter doesn’t confirm the claim either, the presenter never even looks for it (unless the presenter is the issuer, which is a special and hopefully rare case). That’s why the key is delivered to the presenter in parallel with the token. It’s the RS that confirms the claim (in OAuth PoP), or whoever’s processing the key-protected call downstream (in something that isn’t OAuth).
— Justin > On Mar 25, 2015, at 9:37 AM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > There's similar wording in sec 3.3 > <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.3> > too that seems to suggest that the presenter is the one that makes the claim. > > I think the presenter confirms the claim when it presents. It's the issuer > that makes/asserts/declares the claim. No? > > "In > this case, the presenter of a JWT declares that it possesses a > particular key and that the recipient can cryptographically confirm > proof-of-possession of the key by the presenter by including a "cnf" > (confirmation) claim in the JWT whose value is a JSON object, with > the JSON object containing a "kid" (key ID) member identifying the > key." > > On Sun, Mar 22, 2015 at 8:42 PM, Brian Campbell <bcampb...@pingidentity.com > <mailto:bcampb...@pingidentity.com>> wrote: > My brain hurt trying to parse the first sentence/paragraph from section 3 > <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>: > "The presenter of a JWT declares that it possesses a particular key > and that the recipient can cryptographically confirm proof-of- > possession of the key by the presenter by including a "cnf" > (confirmation) claim in the JWT whose value is a JSON object, with > the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID) > member identifying the key." > The issuer includes the "cnf" claim and makes the declaration not the > presenter. Sure, the presenter may be the issuer but that's a special case. > > Isn't it more accurate to say that it is the issuer who declares that the > presenter can confirm itself by some cryptographic proof-of-possession of the > key identified by the "cnf" claim? Or something more like that... > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
