Hi Prateek,
Thanks for taking the time to send in these comments. I am sending you this to
describe the changes that were made in response to your comments (mostly in -13
but also a few in -18). See individual responses inline.
-- Mike
From: [email protected] [mailto:[email protected]] On Behalf Of
Prateek Mishra
Sent: Wednesday, August 21, 2013 4:51 PM
To: Hannes Tschofenig
Cc: [email protected] WG
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
1) As a JWT is always an instance of JWE or JWS, I am not sure why there is a
need for the the materials found in Section 5, para 1 (these are also found in
the JWE and JWS draft specifications). It could simply be removed from the
draft.
There's a stylistic tension between saying things in exactly one place and
making each document easier to read without constantly having to flip back and
forth between them. In this case, I believe that the small amount of
duplication aids developers who might not recursively read everything
referenced in full detail.
2) Why do we need both a "typ" claim and a "typ" header name? Need they have
some relationship to each other?
Isn't this also covered by Section 5.3?
The "typ" claim was removed as part of the JOSE change to use MIME type names
for "typ" and "cty" header parameter values.
3) The materials in Section 5.3 could be simplified further.
Why should the use of claims as header parameters be restricted to the case
where the JWT=JWE; what about the encrypt then sign (symmetric) use-case? I see
no issue in allowing this feature with a JWT of any type.
As written, the specs actually already allow the header to be extended with any
parameters, as needed by applications. Replicating encrypted claims as
unencrypted header parameter values is only one such permitted usage.
The last paragraph of Section 5.3 ("This specification reserves the iss
(issuer), sub (subject),....") seems to be an instance of the
previous paragraph. If claims are allowed in the header, then iss (issuer), sub
(subject) are trivially allowed, right? I couldn't find any additional
information in this last paragraph.
This text is referring to the fact that these three claims are registered in
the IANA JSON Web Signature and Encryption Header Parameters registry for use
as header parameters. I clarified this by adding a section number reference.
Finally, do we need "SHOULD verify that their values are identical" - given
that this matter is left upto applications, couldnt they choose to verify only
a certain relationship between the corresponding values (e.g., header carries
hash of value, JWT carries the (large) complete value)? Can this be weakened
to "SHOULD verify that their values have an appropriate (application-defined)
relationship. In many instances, applications may want to ensure that they are
identical".
Agreed. I added a qualifying clause saying that "the application receiving
them SHOULD verify that their values are identical, unless the application
defines other specific processing rules for these Claims".
4) Section 8 -
am I correct in reading this as: all conforming JWT implementations MUST
implement JWS and MAY implement JWE?
At least thats what I understood from the last paragraph ("if an implementation
provides encryption capabilities...").
Correct
- prateek
Hi all,
this is a working group last call for the JSON Web Token (JWT).
Here is the document:
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11
Please send you comments to the OAuth mailing list by August 21, 2013.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
