Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

Wed, 21 Aug 2013 16:52:03 -0700

1) As a JWT is always an instance of JWE or JWS, I am not sure why there is a need for the the materials found in Section 5, para 1 (these are also found in the JWE and JWS draft specifications). It could simply be removed from the draft.
2) Why do we need both a "typ" claim and a "typ" header name? Need they have some relationship to each other? 
Isn't this also covered by Section 5.3?

3)  The materials in Section 5.3 could be simplified further.
Why should the use of claims as header parameters be restricted to the case where the JWT=JWE; what about the encrypt then sign (symmetric) use-case? I see no issue in allowing this feature with a JWT of any type.
The last paragraph of Section 5.3 ("This specification reserves the iss (issuer), sub (subject),....") seems to be an instance of the previous paragraph. If claims are allowed in the header, then iss (issuer), sub (subject) are trivially allowed, right? I couldn't find any additional information in this last paragraph.
Finally, do we need "SHOULD verify that their values are identical" - given that this matter is left upto applications, couldnt they choose to verify only a certain relationship between the corresponding values (e.g., header carries hash of value, JWT carries the (large) complete value)? Can this be weakened to "SHOULD verify that their values have an appropriate (application-defined) relationship. In many instances, applications may want to ensure that they are identical". 

4) Section 8 -
am I correct in reading this as: all conforming JWT implementations MUST implement JWS and MAY implement JWE? At least thats what I understood from the last paragraph ("/if/ an implementation provides encryption capabilities..."). 



- prateek

Hi all,

this is a working group last call for the JSON Web Token (JWT).

Here is the document:
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11

Please send you comments to the OAuth mailing list by August 21, 2013.

Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to