Hi Erik, having this draft is a good thing.
One thing I'm still wondering is what WG is the best place to progress this. We probably don't need to spend too much time on this because, regardless of the WG chosen, the people in another WG can look at it. Still, getting this right might provide some efficiencies. What is the technical content of this draft? Is it a new token that OAuth needs specifically for the new COSE-based applications of OAuth? Is it a new token that is specifically there for addressing ACE needs? Or is it essentially the same substance as JWT, but phrased in and profiled for CBOR? Depending on the answer, CWT should be done in OAuth, ACE, or COSE. (I'd rather hear the answer from the authors than venture a guess myself.) Grüße, Carsten Erik Wahlström neXus wrote: > Hi, > > In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined > in the draft "Authorization for the Internet of Things using OAuth 2.0” > [1]. We just broke out the CBOR Web Token into a separate draft and the > new draft is submitted to the OAUTH WG. It can be found here: > > https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/ > > Abstract: > "CBOR Web Token (CWT) is a compact means of representing claims to be > transferred between two parties. CWT is a profile of the JSON Web Token > (JWT) that is optimized for constrained devices. The claims in a CWT are > encoded in the Concise Binary Object Representation (CBOR) and CBOR > Object Signing and Encryption (COSE) is used for added application layer > security protection. A claim is a piece of information asserted about a > subject and is represented as a name/value pair consisting of a claim > name and a claim value." > > / Erik > > > [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00 > > > _______________________________________________ > COSE mailing list > c...@ietf.org > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
