I will re-iterate here my strong preference that an "unsecured" or "plaintext" JWS object be syntactically distinct from a real JWS object. E.g. by having two dot-separated components instead of three.
Beyond that, seems like just shuffling deck chairs. On Mon, Sep 8, 2014 at 12:10 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA. > > I agree that "plaintext” is not the most intuitive wording choice and that > "unsecured" might better convey what's going on with the "none" JWS > algorithm. > > Mike mentioned that, if this change is made in JWT, there are parallel > changes in JWS. But note that there are also such changes in JWA (more than > in JWS actually). > > On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <michael.jo...@microsoft.com> > wrote: > >> -----Original Message----- >> From: Warren Kumari [mailto:war...@kumari.net] >> Sent: Monday, September 01, 2014 3:40 PM >> To: sec...@ietf.org; draft-ietf-oauth-json-web-token....@tools.ietf.org >> Subject: Review of: draft-ietf-oauth-json-web-token >> >> I'm a little confused by something in the Terminology section (Section 2): >> >> Plaintext JWT >> >> A JWT whose Claims are not integrity protected or encrypted. >> >> The term plaintext to me means something like "is readable without >> decrypting / much decoding" (something like, if you cat the file to a >> terminal, you will see the information). Integrity protecting a string >> doesn't make it not easily readable. If this document / JOSE uses >> "plaintext" differently (and a quick skim didn't find anything about >> >> this) it might be good to clarify. Section 6 *does* discuss plaintext >> JWTs, but doesn't really clarify the (IMO) unusual meaning of the term >> "plaintext" here. >> >> >> >> I’ve discussed this with the other document editors and we agree with you >> that “plaintext” is not the most intuitive wording choice in this context. >> Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”. I think >> that “Unsecured JWT” is probably the preferred term, since JWTs that are >> JWEs are also unsigned, but they are secured. Working group – are you OK >> with this possible terminology change? (Note that the parallel change >> “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.) >> >> >> > > _______________________________________________ > jose mailing list > j...@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
