Proof-Of-Possession Semantics for JSON Web Tokens (JWTs) draft 02 has been under WGLC till yesterday (March 24, 2015).
During the OAuth WG meeting at IETF 92 on Monday, I was asked to do a review of the document (See the minutes).
So, here is my review comments. (It has been sent to OAuth list as this. I am recording it here for easier future reference.)
1. Review Comments for Proof-Of-Possession Semantics for JSON Web Tokens (JWTs)
Below, [POPA] stands for OAuth 2.0 Proof-of-Possession (PoP) Security Architecture draft 01.
Abstract
It is probably better to spell out that this document is describing the JWT format that can be used for sender constraint (5.2 of [POPA]) and key confirmation (5.3 of [POPA]). This will make it easier for the reader to understand what this document aims at.
Accordingly, we should consider the title change to something like:
JWT Sender Confirmation Token Syntax
OR
borrowing from the financial concept which I believe is the origin of the concept of “bearer token”,
JWT Registered Token Syntax
— here, “Registered” mean that either the sender constraint or key confirmation is registered within or in conjunction with the token.
1. Introduction
Consider referencing draft-ietf-oauth-pop-architecture.
It will be clearer for the reader then, and the text will be shorter.
2. Terminology – Presenter
Sentence 1
Not sure if the first sentence is accurately reflecting the intent.
It excludes rogue party presenting the token (and fails) from presenter.
If so, it is fine but using more qualified term like “authorized presenter” may make it easier for the reader to parse.
Otherwise revise the definition.
Sentence 2
“issuer or a party different from the issuer” is not constraining anything and meaningless.
There are more easier to parse and accurate text coming in the main text, too.
Drop.
3. Proof-Of-Possession Representation
Title
Perhaps “Sender Representation in JWT” is more reflective of the content.
Para 2
The paragraph describes two ways of sender confirmation:
(1) Sender Constraint
(2) Key Confirmation
It should refer to 5.2 and 5.3 of [POPA] for it, as well as align the terminology.
Then, it goes on to describe (1) very briefly, in which it is just spelling out “iss” and “sub”.
I understand the use of sub in this section comes down from SAML but I feel that some separation between sub and presenter would be nice.
For example, when I am presenting the token using an app that I installed on my iPhone, the presenter is that app and not me, while the sub still may be me. The app is the authorized presenter/party (azp) of the token. The JWT may well be about the sub but presented by some software component that should be independently identified.
So my proposal is to create a new subsection on (1) for the completeness, which is going to be a new 3.1, and to use a claim like “azp” instead of “sub” to identify the presenter. Less overload would cause less confusion later, IMHO.
3.1 Proof-of-Possession of an Asymmetric Key
Title
Perhaps “Confirmation Key Representation for an Asymmetric Key” is more reflective of the content.
3.2 Proof-of-Possession of a Symmetric Key
Title
Perhaps “Confirmation Key Representation for a Symmetric Key” is more reflective of the content.
Last Para
I feel a bit like needing to sniff into the content of jwk to find out what type may not be optimal, though I do not have a concrete proposal a this time.
3.3 Proof-of-Possession Using a Key ID
Title
Perhaps “Confirmation Key Representation by Key ID” is more reflective of the content.
Para 1
There has been some discussion of using thumbprint instead of a blob “kid”.
This is a valid option. If we are to overload the “kid” member for this purpose, we need to find a way to signal that it is a thumbprint.
It may very well be better to define a separate member name then for the thumbprint. The title then changes to “– by Key ID” to “– by reference”.
Also, it is conceivable to use the combination of “kid” and “jku”. This aspect is not spelled out here but appears that some magic happens for the key distribution.
3.4 Confirmation
Since “cnf” appears before 3.4, it may be better to bring 3.4 at the front.
5.2.2 Initial Registry Contents
Add “azp” and “jkt”.
o Confirmation Method Value: “azp”
o Confirmation Method Description: Client ID of the Authorized Presenter
o Change Controller: IESG
o Specification Document(s): Section [TBD] of [[ this document ]]
o Confirmation Method Value: “jkt”
o Confirmation Method Description: JWK Thumbprint of the Confirmation Key
o Change Controller: IESG
o Specification Document(s): Section [TBD] of [[ this document ]]
o Confirmation Method Value: “jku”
o Confirmation Method Description: JWK URI of the Confirmation Key
o Change Controller: IESG
o Specification Document(s): Section [TBD] of [[ this document ]]
Privacy Consideration
It is missing privacy consideration. It is not required per se, but since Key Confirmation method with ephemeral key can be less privacy intrusive compared to other sender confirmation method, adding some text around it may be a good idea.
2. Supplementary material to the above comments
In addition to the above, I also prepared a complementary draft that deals with the Sender Constraint. It also talks about how to use it in the sense of RFC6750. It is available as: Sender Constrained JWT for OAuth 2.0 and its HTML version can be found here.