Hello all, Please find my review comments to PoP document: http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-04 1、 Title:
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) [Kepeng] Should we add OAuth 2.0 in the title? Also, in the whole document, we use JWT, but in the title, we use “JWTs”. Is there a reason for this? 2、 Abstract: 1) This specification defines how to express a declaration in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular key and that the recipient can cryptographically confirm proof-of-possession of the key by the presenter. [Kepeng] Add reference to JWT. 2) This property is also sometimes described as the presenter being a holder-of-key. [Kepeng] I am not sure what is “this property”. Do you mean “the key”? If yes, just use the key. And change the sentence to something like: This key is also sometimes described as a holder-of-key by the presenter. 3. Introduction 1) The first paragraph is the same as the abstract. I suggest to reword it a little bit or remove it, to avoid the redundancy. 2) See [I-D.ietf-oauth-pop-architecture] for a further discussion of key confirmation. [Kepeng] I suggest to mention a little bit more about the relationship between PoP architecture document and this document. In my understanding, in PoP architecture document, it mentions several mechanisms: confidentiality protection, key confirmation and sender constraint. This document introduces the key semantics for the key confirmation mechanism. 3) About the two use cases, it will be useful to use two diagrams or flows to indicate how it works. Maybe put these two flows in a separate section. Also it will be useful to mention which step is in scope, and which is out of scope, e.g. how to convey symmetric key from the issuer to the presenter. 4. Section 3: 1) It will be useful to put a reference to "sub" (subject) claim, and "iss" (issuer) claim. 2) Note that if an application needs to represent multiple proof-of- possession keys in the same JWT, one way for it to achieve this is to use other claim names, in addition to "cnf", to hold the additional proof-of-possession key information. [Kepeng] It is not clear, what are the other claim names? Kind Regards Kepeng
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
