In the JWT spec the value of "typ" SHOULD be "jwt". That indicates as Mike stated that it is a JWT in compact format that has as its body a jwt claim set. If the claim set is signed then encrypted, the inner JWT has a a typ of jwt and no cty , and the outer one has a typ of JWT and a cty of jws.
If a JOSE object has a typ of jws then one would assume that it is a jws in compact serialization with some other body type then a jwt claimset. I think this is somewhat a symptom of the JWT and JOSE specs getting split into different WG. So Mike can correct me but I don't think putting jwe or jws in typ is the intended use of that element if you are in fact sending JWT. I understand where Jim is coming from I think of JWT as a jwt claim-set and JWE and JWS as the outer layer, where JWT thinks of itself as a total security token definition including overall processing rules for security tokens, with a standard envelope segment and JWE or JWS encoding as determined by the alg. In security token processing knowing that what you have will unwrap to a JWT claim-set , rather than to some other thing is quite important. John B. On 2013-05-29, at 7:56 PM, Dick Hardt <[email protected]> wrote: > I use it all the time and my code would barf if it was not there. > > I think it should be required rather than be a hint if it is going ot be > there. > > > On Wed, May 29, 2013 at 4:40 PM, Jim Schaad <[email protected]> wrote: > I think the values just changed > > > > However the way you are using it would be an argument to say that it should > be a required field. Are you just using it as a hint if it exists and then > looking at the rest of the fields if it is not present? > > > > Jim > > > > > > From: Dick Hardt [mailto:[email protected]] > Sent: Wednesday, May 29, 2013 3:49 PM > To: Jim Schaad > Cc: [email protected] > Subject: Re: [jose] Should we delete the "typ" header field > > > > Well, I have been using, but now realize the spec changed or I was confused. > > > > I had been setting "typ" to be either "JWE" or "JWS" depending on the type of > token I was creating or parsing as it was easier than looking at "alg" > > > > As currently defined, I don't see value in "typ". > > > > -- Dick > > > > > > On Wed, May 29, 2013 at 3:02 PM, Jim Schaad <[email protected]> wrote: > > In reading the documents, I am trying to understand the justification for > having the “typ” header parameter in the JOSE documents. > > > > The purpose of the field is to hold the type of the object. In the past, I > believe that values which should now be placed in the cty field (such as > “JWT”) were placed in this field as well. However the parameter is optional > and an implementation cannot rely on its being present. This means that for > all practical purposes all of the code to determine the value of the type > field from the values of the alg and enc fields. If the field was mandatory > then this code would disappear at a fairly small space cost and I can > understand why the parameter would be present. > > > > Can anybody justify why this field should be present in the document – or > should it just disappear? > > > > Jim > > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > > > > > -- > -- Dick > > > > > -- > -- Dick > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
