With only three characters combinations are at a premium. People can all ways use longer names.
The ones that are going to be in most tokens are the important ones to keep short and memorable. tid seems clearer than jti, but that is just me. I will go with whatever is decided. John B Sent from my iPad On 2011-11-23, at 10:27 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > Thinking about it a bit more, since others may want to use “tid” for claims > with meanings like Transaction ID ( or other words beginning with “t”), maybe > the claim name should be “jti” (JSON web Token ID) to reduce chance of name > collisions? > > -- Mike > > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of > Mike Jones > Sent: Wednesday, November 23, 2011 5:21 PM > To: John Bradley; oauth WG > Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer > > Thanks John. This makes sense to me. > > Feedback from others? > > -- Mike > > From: John Bradley [mailto:ve7...@ve7jtb.com] > Sent: Wednesday, November 23, 2011 5:02 PM > To: oauth WG > Cc: Mike Jones > Subject: Message ID for draft-jones-oauth-jwt-bearer > > The draft-jones-oauth-jwt-bearer profile is lacking a message ID that exists > in the SAML version. > > This is important for the receiver to detect replay attacks. > > For Connect I made up a claim to use: > > tid The tid (token id) claim, A nonce or unique identifier for the > assertion. The Assertion ID may be used by implementations requiring message > de- duplication for one-time use assertions. > > I was tempted to use mid (Message ID) however it is the id of the token not > the message. > > If you add something I will change the claim to be consistent. > > I think it needs to be in your spec. > > Regards > John B.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
