Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

2015-11-16 Thread Hannes Tschofenig
Hi Bill, From what I can tell there are no differences in this regard. Of course, the data has to be encoded differently and so there is a need to state the new data type but beyond that I haven’t seen any restrictions yet. Of course, the COSE work is still ongoing and so it might be a bit too

Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

2015-11-16 Thread Hannes Tschofenig
Hi William, You are indeed correct that the current document contains a list of one-by-one copies of claims from the JWT. The only difference is the data type. Probably it would have been better to just reference the semantic from the JWT spec and then state the new data type. I fully understa

Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

2015-11-16 Thread Carsten Bormann
Bill Mills wrote: > If there are structural differences in what CBOR can support it would be > worthwhile to note that. Examples of things supported in JWT that you > can't do in CBOR could be very helpful to implementers. Those don't exist, but there may be things you have to do in JSON that you

Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

2015-11-16 Thread Bill Mills
If there are structural differences in what CBOR can support it would be worthwhile to note that.  Examples of things supported in JWT that you can't do in CBOR could be very helpful to implementers. On Monday, November 16, 2015 1:32 PM, William Denniss wrote: You raise some good

Re: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-06 Glitches

2015-11-16 Thread Mike Jones
Hi Hannes. Thanks for the feedback. Replies are inline below... > -Original Message- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes > Tschofenig > Sent: Monday, November 16, 2015 6:55 AM > To: oauth@ietf.org > Subject: [OAUTH-WG] draft-ietf-oauth-proof-of-possession-06

[OAUTH-WG] AD review of draft-ietf-oauth-pop-architecture

2015-11-16 Thread Kathleen Moriarty
Hello, I reviewed draft-ietf-oauth-pop-architecture and have a few questions. 1. Section 6, Threat Mitigation: Last sentence of first paragraph, "To simplify the subsequent description we assume that the token itself is digitally signed by the authorization server and therefore cannot b

Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

2015-11-16 Thread Hannes Tschofenig
Hi William, I have been trying to do a document update to see how well a combined registry works and I have been wondering whether it is really worth the effort. To make a good judgment I looked at the CNF claim defined in draft-ietf-oauth-proof-of-possession. The CNF claim may contain sub-eleme

[OAUTH-WG] draft-ietf-oauth-proof-of-possession-06 Glitches

2015-11-16 Thread Hannes Tschofenig
Hi all, I noticed a few glitches with the most recent version of the draft-ietf-oauth-proof-of-possession document. ** PoP Figure (Symmetric Key) FROM: +--+ | | +--+ | |--(4) Presentation of -->|