Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-03 Thread Denis
Hi David, I am not referring to RFC 7519 (JWT) but to RFC 8259 (JSON). I-JSON (i.e. Internet-JSON) mandates the uniqueness of claim names in an object (as well as JWT). RFC 8259 does not mandate uniqueness. Denis From JWT RFC 7519, section-4: The Claim Names within a JWT Claims Set    MUS

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-03 Thread David Waite
From JWT RFC 7519, section-4: The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 ("The JSON Object") of ECM

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-03 Thread Denis
Hi Watson, The word "semantics" is not present in RFC 8259. I looked for the word "unique" in RFC 8259. There are three occurrences of that word in clause 4. Objects, in particular: The names within an object SHOULD be unique There is indeed a "SHOULD", but not a "SHALL". If there w

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-03 Thread Tom Jones
Attackers do not stick to the rules. It sounds to me like one of the security considerations for any standard that employs json, or any other structured data language, is to ensure that the input is validated to be compliant. I have been in the position of trying to enforce type checking on experie

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-03 Thread Watson Ladd
On Mon, Oct 2, 2023, 11:56 PM Denis wrote: > > Hi Justin, > > Your premise relies on a feature of JSON that does not exist. JSON does not > provide well-defined behavior for repeated names within an object: > > When the names within an object are not > unique, the behavior of software that receiv

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-02 Thread Denis
Hi Justin, Your premise relies on a feature of JSON that does not exist. JSON does not provide well-defined behavior for repeated names within an object: When the names within an object are not unique, the behavior of software that receives such an object is unpredictable. You should also c

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-02 Thread Justin Richer
Your premise relies on a feature of JSON that does not exist. JSON does not provide well-defined behavior for repeated names within an object: When the names within an object are not unique, the behavior of software that receives such an object is unpredictable. From: https://www.rfc-editor.org

[OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

2023-10-02 Thread Denis
The latest draft (i.e. draft-looker-oauth-jwt-cwt-status-list-latest) which is available at : https://vcstuff.github.io/draft-looker-oauth-jwt-cwt-status-list/draft-looker-oauth-jwt-cwt-status-list.html includes the following illustrative drawing: +--++---+ ||