I support the current approach of having both the JWT and CWT data structures
in the same document. I believe that's the best way to ensure consistency
between the approaches.
There's a long history of cooperation in the identity space between OAuth,
JOSE, COSE, ACE, and now SPICE. We've gotten good outcomes that work across
working groups and use cases as a result.
Thanks for asking though, Christian.
Best wishes,
-- Mike
-----Original Message-----
From: Christian Bormann <[email protected]>
Sent: Friday, January 16, 2026 5:43 AM
To: [email protected]; [email protected]; Tobias Looker
<[email protected]>; [email protected]; Deb Cooley
<[email protected]>
Subject: [Ace] CBOR/CWT parts in OAuth Token Status List
Hello ACE WG,
We are currently finalising the OAuth Token Status List draft
(https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/). While the
draft started with only JSON-based representations, upon request we added a
CBOR/CWT based variant.
We are aware that CBOR/CWT-related work is typically the domain of the SPICE or
ACE WGs and outside of OAuth. However, given that the draft consists of an
encoding-agnostic core data model and only adds JSON and CBOR encoding on top,
we felt that this adds more benefits for using a consistent method across these
two common data representation formats, which have a history of shared
standards. The CBOR-specific parts are currently a rather small part of the
overall draft and mirror the JSON-based definitions.
Are there any concerns with the current situation of including the CBOR/CWT
parts in the draft? Could you please provide feedback on the situation and our
proposal to keep the CBOR/CWT parts in the current draft, preferably within ~2
weeks.
Best Regards,
Christian + Paul + Tobias
_______________________________________________
Ace mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
Ace mailing list -- [email protected]
To unsubscribe send an email to [email protected]
