This was revised in -03 to correctly distinguish between the issuer and
presenter roles. It now reads:
The issuer of a JWT declares that the presenter possesses a
particular key and that the recipient can cryptographically confirm
proof-of-possession of the key by the presenter by including a "cnf"
(confirmation) claim in the JWT whose value is a JSON object, with a
JSON object containing a "jwk" (JSON Web Key) member, a "jwe" (JSON
Web Encryption) member, or a "kid" (key ID) member identifying the
key.
Thanks again for your useful review comments.
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Sunday, March 22, 2015 6:43 PM
To: oauth
Subject: [OAUTH-WG] trouble reading the start of sec 3 proof-of-possession-02
My brain hurt trying to parse the first sentence/paragraph from section
3<https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3>:
"The presenter of a JWT declares that it possesses a particular key
and that the recipient can cryptographically confirm proof-of-
possession of the key by the presenter by including a "cnf"
(confirmation) claim in the JWT whose value is a JSON object, with
the JSON object containing a "jwk" (JSON Web Key) or "kid" (key ID)
member identifying the key."
The issuer includes the "cnf" claim and makes the declaration not the
presenter. Sure, the presenter may be the issuer but that's a special case.
Isn't it more accurate to say that it is the issuer who declares that the
presenter can confirm itself by some cryptographic proof-of-possession of the
key identified by the "cnf" claim? Or something more like that...
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
