Sure no problem:) > On Mar 25, 2015, at 10:42 AM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > Yeah, sorry, I misspoke (this stuff isn't easy). The presenter doesn't > confirm. The presenter presents the token along with something that proves > possession, which allows the recipient to confirm. My original grip with both > texts is that they seem to suggests that the presenter makes the declaration > in the token, which isn't true except for the special case of > issuer=presenter. In trying to clarify that, I made a different mistake. I'm > sure the draft authors will have no problem stating it clearly, concisely and > accurately though :) > > On Wed, Mar 25, 2015 at 10:34 AM, Justin Richer <jric...@mit.edu > <mailto:jric...@mit.edu>> wrote: > Agree that this language isn’t clear. The presenter doesn’t confirm the claim > either, the presenter never even looks for it (unless the presenter is the > issuer, which is a special and hopefully rare case). That’s why the key is > delivered to the presenter in parallel with the token. It’s the RS that > confirms the claim (in OAuth PoP), or whoever’s processing the key-protected > call downstream (in something that isn’t OAuth). > > — Justin > >> On Mar 25, 2015, at 9:37 AM, Brian Campbell <bcampb...@pingidentity.com >> <mailto:bcampb...@pingidentity.com>> wrote: >> >> There's similar wording in sec 3.3 >> <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.3> >> too that seems to suggest that the presenter is the one that makes the >> claim. >> >> I think the presenter confirms the claim when it presents. It's the issuer >> that makes/asserts/declares the claim. No? >> >> "In >> this case, the presenter of a JWT declares that it possesses a >> particular key and that the recipient can cryptographically confirm >> proof-of-possession of the key by the presenter by including a "cnf" >> (confirmation) claim in the JWT whose value is a JSON object, with >> the JSON object containing a "kid" (key ID) member identifying the >> key." >> >> On Sun, Mar 22, 2015 at 8:42 PM, Brian Campbell <bcampb...@pingidentity.com >> <mailto:bcampb...@pingidentity.com>> wrote: >> My brain hurt trying to parse the first sentence/paragraph from section 3 >> <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>: >> >> "The presenter of a JWT declares that it possesses a particular key >> and that the recipient can cryptographically confirm proof-of- >> possession of the key by the presenter by including a "cnf" >> (confirmation) claim in the JWT whose value is a JSON object, with >> the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID) >> member identifying the key." >> The issuer includes the "cnf" claim and makes the declaration not the >> presenter. Sure, the presenter may be the issuer but that's a special case. >> >> Isn't it more accurate to say that it is the issuer who declares that the >> presenter can confirm itself by some cryptographic proof-of-possession of >> the key identified by the "cnf" claim? Or something more like that... >> >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
