Hannes - here a couple of comments on the 05 draft -
(i) Section 4 -
[quote]
Note however, that the set of claims that a JWT must contain to be
considered valid is context-dependent and is outside the scope of this
specification. When
used in a security-related context, implementations MUST understand and
support all of the
claims present; otherwise, the JWT MUST be rejected for processing.
[\quote]
I am not sure what is being stated here. I understand the general sense
of the paragraph but I found the
two sentences to be contradictory. The second sentence is also very
strong - suppose we find
some private claim in a JWT that the recipient is unable to understand -
perhaps an optional
attribute-value pair - MUST it then reject the token?
(ii) Section 6 -
[quote]
A plaintext
JWT is a JWS using the "none" JWS "alg" header parameter value
defined in JSON Web Algorithms (JWA) [JWA
<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05#ref-JWA>]; it is
a JWS with an empty
JWS Signature value.
[\quote]
It is later clarified that by "empty JWS Signature value" the draft
means "empty string". That could
be added as a parenthetical remark at the end of the sentence. I
actually spent some time looking
up the term "empty JWS Signature value" in the JWS specification.
Thanks,
prateek
Hi all,
you may have noticed that the JOSE working group had made good progress with
their work and they are getting closer to a WGLC. This is a good point in time
for us to review the JWT spec (see
http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/). Please read
through it in preparation for the meeting.
It would be good to hear who has implemented it and whether there is feedback
on the document. Given the OpenID Connect interoperability tests there seem to
be lots of implementations.
We would like to start a WGLC as soon as the WGLC for the JOSE documents
starts.
Ciao
Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
