[OAUTH-WG] Potential uses of PoP keys in CBOR Web Tokens (CWTs)

Discussion:

Hannes Tschofenig

2017-06-12 18:19:33 UTC

Hi all,

RFC 7800 defines how to communicate Proof of Possession (PoP) keys for
JSON Web Tokens (JWTs) [RFC 7519]. The CBOR Web Token (CWT)
draft-ietf-ace-cbor-web-token spec defines the CBOR/COSE equivalent of
the JSON/JOSE JWT spec.

The ACE working group is planning to also define a CBOR/COSE equivalent
of RFC 7800 and is interested in knowing how you might use CBOR
proof-of-possession keys for CWTs.

Please drop us a message if you are using CBOR PoP keys for CWTs. We
would like to learn more about your usage.

Ciao
Hannes & Kepeng

Nat Sakimura

2017-06-21 19:54:49 UTC

Permalink

So, I have finally started to put the tip of my foot into IoT world and so
I have no actual product or service, but PoP keys for CWT should be useful
for severely constrained devices. We have seen so many instances of token
interception and replay in IoT sphere. PoP keys in CBOR should help
mitigate it.

Nat

Post by Hannes Tschofenig
Hi all,
RFC 7800 defines how to communicate Proof of Possession (PoP) keys for
JSON Web Tokens (JWTs) [RFC 7519]. The CBOR Web Token (CWT)
draft-ietf-ace-cbor-web-token spec defines the CBOR/COSE equivalent of
the JSON/JOSE JWT spec.
The ACE working group is planning to also define a CBOR/COSE equivalent
of RFC 7800 and is interested in knowing how you might use CBOR
proof-of-possession keys for CWTs.
Please drop us a message if you are using CBOR PoP keys for CWTs. We
would like to learn more about your usage.
Ciao
Hannes & Kepeng
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

--
Nat Sakimura

Chairman of the Board, OpenID Foundation

John Bradley

2017-06-21 20:01:15 UTC

Permalink

I donât have any deployments yet, but am changing companies in July and can see some future use cases for POP CWT around Web Authentication.

POP for JWT is taking off and Ping has implementations of that.

It would be beneficial if we could maintain the same confirmation âcnfâ semantic between JWT and CWT.

I suspect that there are going to be gateways and mixed environments, so it will reduce confusion.

If you are asking about specific confirmation methods you need to give me a bit of time to swap some of this into my head.
The high level semantic of a confirmation element should be the same but even in JWT there are different methods and information that needs to be propagated depending on the application eg key hash vs DN vs encrypted symmetric key.

John B.

Post by Hannes Tschofenig
Hi all,
RFC 7800 defines how to communicate Proof of Possession (PoP) keys for
JSON Web Tokens (JWTs) [RFC 7519]. The CBOR Web Token (CWT)
draft-ietf-ace-cbor-web-token spec defines the CBOR/COSE equivalent of
the JSON/JOSE JWT spec.
The ACE working group is planning to also define a CBOR/COSE equivalent
of RFC 7800 and is interested in knowing how you might use CBOR
proof-of-possession keys for CWTs.
Please drop us a message if you are using CBOR PoP keys for CWTs. We
would like to learn more about your usage.
Ciao
Hannes & Kepeng
_______________________________________________
Ace mailing list
https://www.ietf.org/mailman/listinfo/ace