You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-attestation-based-client-auth.md
+4-3Lines changed: 4 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -188,7 +188,7 @@ The following additional rules apply:
188
188
189
189
1. The JWT MAY contain other claims. All claims that are not understood by implementations MUST be ignored.
190
190
191
-
2. The JWT MUST be digitally signed using an asymmetric cryptographic algorithm. The authorization server MUST reject the JWT if it is using a Message Authentication Code (MAC) based algorithm. The authorization server MUST reject JWTs with an invalid signature.
191
+
2. The JWT MUST be digitally signed using an asymmetric cryptographic algorithm. The authorization server MUST reject JWTs with an invalid signature.
192
192
193
193
3. The authorization server MUST reject a JWT that is not valid in all other respects per "JSON Web Token (JWT)" {{RFC7519}}.
194
194
@@ -239,7 +239,7 @@ The following additional rules apply:
239
239
240
240
1. The JWT MAY contain other claims. All claims that are not understood by implementations MUST be ignored.
241
241
242
-
2. The JWT MUST be digitally signed using an asymmetric cryptographic algorithm. The authorization server MUST reject the JWT if it is using a Message Authentication Code (MAC) based algorithm. The authorization server MUST reject JWTs with an invalid signature.
242
+
2. The JWT MUST be digitally signed using an asymmetric cryptographic algorithm. The authorization server MUST reject JWTs with an invalid signature.
243
243
244
244
3. The public key used to verify the JWT MUST be the key located in the "cnf" claim of the corresponding Client Attestation JWT.
245
245
@@ -509,7 +509,7 @@ Upon receiving a Client Attestation, the receiving server MUST ensure the follow
509
509
510
510
2. The Client Attestation JWT contains all claims and header parameters as per [](#client-attestation-jwt).
511
511
3. The Client Attestation PoP JWT contains all claims and header parameters as per [](#client-attestation-pop-jwt).
512
-
4. The alg JOSE Header Parameter for both JWTs indicates a registered asymmetric digital signature algorithm {{IANA.JOSE.ALGS}}, is not none, is not MAC based, is supported by the application, and is acceptable per local policy.
512
+
4. The alg JOSE Header Parameter for both JWTs indicates a registered asymmetric digital signature algorithm {{IANA.JOSE.ALGS}}, is not none, is supported by the application, and is acceptable per local policy.
513
513
5. The signature of the Client Attestation JWT verifies with the public key of a known and trusted Attester.
514
514
6. The key contained in the `cnf` claim of the Client Attestation JWT is not a private key.
515
515
7. The signature of the Client Attestation PoP JWT verifies with the public key contained in the `cnf` claim of the Client Attestation JWT.
@@ -635,6 +635,7 @@ This section requests registration of the following scheme in the "Hypertext Tra
635
635
636
636
-07
637
637
638
+
* remove restrictions to not allow MAC-based algorithms
638
639
* require `iat` in Client Attestation PoP JWT
639
640
* clarify `use_attestation_challenge` and add `invalid_client_attestation`
0 commit comments