Thanks for your review, Prateek. Updates resulting from these comments are
included in the latest drafts.
Thanks again,
-- Mike
From: Mike Jones
Sent: Monday, December 10, 2012 5:51 PM
To: 'prateek mishra'; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: RE: [OAUTH-WG] Please review draft-ietf-oauth-json-web-token
Thanks for the comments, Prateek. Replies inline in green...
-- Mike
From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org] On Behalf Of prateek mishra
Sent: Wednesday, November 07, 2012 7:16 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Please review draft-ietf-oauth-json-web-token
Hannes - here a couple of comments on the 05 draft -
(i) Section 4 -
[quote]
Note however, that the set of claims that a JWT must contain to be
considered valid is context-dependent and is outside the scope of this
specification. When
used in a security-related context, implementations MUST understand and support
all of the
claims present; otherwise, the JWT MUST be rejected for processing.
[\quote]
I am not sure what is being stated here. I understand the general sense of the
paragraph but I found the
two sentences to be contradictory. The second sentence is also very strong -
suppose we find
some private claim in a JWT that the recipient is unable to understand -
perhaps an optional
attribute-value pair - MUST it then reject the token?
The strong language about "MUST understand" mirrors the same language in the
JOSE specs. As you probably know, there's an open issue being discussed by the
JOSE working group about whether all header fields must be understood, or
whether there will be a mechanism for signaling that some header fields may be
safely ignored if not understood. I suspect that if a change is made to the
JOSE specs in this regard, a similar change might be applied here as well.
(ii) Section 6 -
[quote]
A plaintext
JWT is a JWS using the "none" JWS "alg" header parameter value
defined in JSON Web Algorithms (JWA)
[JWA<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05#ref-JWA>];
it is a JWS with an empty
JWS Signature value.
[\quote]
It is later clarified that by "empty JWS Signature value" the draft means
"empty string". That could
be added as a parenthetical remark at the end of the sentence. I actually spent
some time looking
up the term "empty JWS Signature value" in the JWS specification.
I'll plan to apply this clarification in the next spec release.
Thanks,
prateek
Hi all,
you may have noticed that the JOSE working group had made good progress with
their work and they are getting closer to a WGLC. This is a good point in time
for us to review the JWT spec (see
http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/). Please read
through it in preparation for the meeting.
It would be good to hear who has implemented it and whether there is feedback
on the document. Given the OpenID Connect interoperability tests there seem to
be lots of implementations.
We would like to start a WGLC as soon as the WGLC for the JOSE documents
starts.
Ciao
Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
