I cannot find a rigorous definition of what the "proof of possession" attribute means. Different webpages seem to give conflicting definitions:
Some of them say that it means, literally, proving that you possess a value (a key or a password):
https://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers/webcrypto2014_submission_8.pdf
https://idm.unl.edu/4254-proof-possession
This doesn't seem like a useful definition, though, because almost every crypto operation involves a key, so by this definition, anything would constitute "proof of possession", including just giving the key out to prove you have it.Some of them say it specifically refers to proof of possession of a private key in a public-private key pair:
https://help.sap.com/doc/saphelp_nwpi711/7.1.1/en-US/4c/a09b7e1fd9634ae10000000a421392/content.htm
http://www.convertwriteservices.com/assets/docs/API/certj_reference/javadoc/com/rsa/certj/PKIService.html
but I think this is probably wrong, as more authoritative sources like https://www.rfc-editor.org/rfc/rfc7800 talk specifically about proof of possession in the context of symmetric keys.One page which is on an internal company wiki that I cannot share, which says that proof of possession means proving that you possess a value, without sending the value to the other party. Ironically, this is the definition that seems most likely to be correct, since it's most consistent with how people use it, even though I can't find any public-facing webpages giving this definition.
So is it the case that definition #3 is correct and that sources which give definition #1 or #2 are (mildly) wrong?
