To clarify: What is the base specification that Jim mentioned?
Is it: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ?

Would somebody please present a use-case for either nonce or timestamp?
If a jwt is used with oauth2 then what is the difference between nonce and
state? Nonce would be signed while state is not?

I guess I am missing some information that those in the room who voted
"yes" had?

Axel

2012/8/25 Mike Jones <[email protected]>

> I'll note for discussion purposes that a nonce and a timestamp are not the
> same thing (although sometimes they are used to achieve similar/related
> goals).  A nonce tends to be an opaque value that must be preserved across
> the communication.  Whereas a timestamp typically has defined semantics -
> sometimes simply a non-decreasing integer value - and sometimes a
> representation of time, and then, sometimes with a uniqueness requirement.
>
> For discussion purposes, I'll say that the simplest thing for us to do
> (should we decide to do anything in this regard) would be to define the
> nonce as an opaque string value that must be preserved.
>
> We could also define a timestamp parameter, but as I wrote above, that
> would likely require us to specify additional semantics - starting with
> whether it's a non-decreasing integer or a representation of a time value.
>  This seems much harder to define and possibly to use than a nonce.
>
> Would it make sense to define a nonce parameter now and hold off on
> defining a timestamp parameter until there's a clear demonstrated use case
> for which a nonce is not sufficient?  That would be my personal
> recommendation.
>
>                                 Best wishes,
>                                 -- Mike
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> Jim Schaad
> Sent: Friday, August 17, 2012 12:05 AM
> To: [email protected]
> Subject: [jose] POLL: Nonce/Timestamp parameter
>
> <CHAIR>
>
> If you voted at the face-2-face please do not vote again.  If you want to
> provide comments please change the title from POLL to DISCUSS.
>
> Do we need to define a nonce/timestamp parameter in the base specification?
>
>
>
> Room vote:  6 yes, 0 no, 1 discuss
>
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
>
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to