Thanks for talking the time to reply to the individual comments, Mike.
The structure of the JWT doc is still flawed. The root cause is that JWT tries
to do three tasks:
1. Describe how a JOSE message can be a JWE or a JWS.
2. Describe how JOSE messages can nest (eg JWS in a JWE; JWE in a JWS;
JWS in a JWE in a JWS in a JWE).
3. Describe a JSON object representing a collection of claims; including
iss, sub, aud, exp, nbf, iat, jti members.
#1 and #2 are not specific to JWT. They shouldn’t be specified in JWT; they
certainly shouldn’t use a JWT-specific value ("cty":"JWT") to indicate when
nesting is occurring; and they shouldn’t require introducing JWT-specific
terminology (eg “JWT Header”).
The JWT doc has this problem because the JOSE specs don’t define a JOSE
message, they only specify JWS and JWE separately. That JOSE omission has
propagated up the stack to substantially complicate the JWT doc, and presumably
that complication has to be repeated for every other specification of an
application like JWT that want to use JOSE messages.
Curiously, for all the text about nested JOSE messages, the JWT doc still isn’t
specific about what combinations MUST be supported for interoperability. I
wouldn’t expect many JWT-compliant receivers to accept
claims-in-a-JWS-in-a-JWE-in-another-JWE-in-another-JWS, but I cannot tell which
nesting will or will not work widely.
The text about collision-resistant names is still silly since you lose the
collision-resistance when you combine multiple namespaces (domain names, OIDs,
etc).
--
James Manger
From: Mike Jones [mailto:[email protected]]
Sent: Tuesday, 4 March 2014 9:22 AM
To: Manger, James; [email protected] WG
Subject: RE: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Thanks for taking the time to send in the comments, James. I am sending you
this to describe the changes that were made in response to your comments
(mostly in -13 but also a few in -18). See individual responses inline.
-- Mike
-----Original Message-----
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Manger, James H
Sent: Thursday, August 08, 2013 7:55 AM
To: [email protected]<mailto:[email protected]> WG
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Comments on draft-ietf-oauth-json-web-token-11:
1. Should JWT really go to WGLC before the JOSE docs that it depends on so
heavily (JWS/JWE/...)? Even if the "bytes-on-the-wire" are fairly stable, JWT
repeats a lot of text from JWS/JWE some of which is likely to change. Finishing
WGLC now and queuing the doc to be auto-published when JWS/JWE are published
would be bad (unless the duplicate text is removed).
In practice, it seems that JWT has waited for JOSE (and I’ve kept them fully in
sync). At this point, I expect them proceed through the rest of the approval
steps in parallel.
2. The JWT doc would be so much more readable if it could refer to a "JOSE
message", "JOSE header", and "JOSE compact serialization"; instead of having to
explicitly talk about JWS and JWE every time even when talking about aspects
common to both. It would also avoid introducing "JWT Header", "Encoded JWT
Header", "Nested JWT", "Plaintext JWT" etc as though these are new items, when
in fact they are just additional names for JOSE items. For instance, "JWT
Header" is effectively shorthand for "JWS or JWE header" but it is presented as
a JWT-specific thing.
I think this really only shows up in a few places – primarily when discussing
that the JWT Header is either a JWS Header or a JWE header. Given that these
are actually distinct but related data structures, making it evident that they
are different is arguably a good thing.
3. The doc should not repeat definitions from JWS and JWE.
The duplication has been substantially reduced, both within the JOSE docs, and
within this doc. That being said, there’s a stylistic tension between saying
things in exactly one place and making each document easier to read without
constantly having to flip back and forth between them. In this case, I believe
that the small amount of duplication aids developers who might not recursively
read everything referenced in full detail.
For instance, the whole first paragraph of section 5 "JWT Header" (JSON object;
describes crypto ops; unique names; reject duplicates or use last) is an almost
identical copy of paragraphs from JWS and JWE. The duplication (often
triplication) adds confusion (eg what is the difference between a JWT Header
and JWS Header?) and gets subtly out of sync (eg "cty" either "declares
structural information about the JWT" or "declares the type of the
secured/encrypted content (the payload/Plaintext) in an application-specific
manner").
The description of JWT’s use of “cty” is not out of sync – it is intentionally
more specific than the fully general, application-independent descriptions in
JWS and JWE. In this case, JWT is the application of JWS and JWE, and needs to
specify its requirements about how it uses this header parameter.
Other examples of unnecessarily duplicated text include: section 7 steps 3 & 4
(creating) and steps 1-8 (validating); section 7.1 text about comparing "alg"
values; parts of the last 2 paragraphs of section 3 "JWT overview"; 1st and 3rd
paragraphs of section 5.2 "cty"; 1st, 2nd, and 4th sentence of section 5.1
"typ".
Step 4 of creation was removed because it truly was a duplicate. (3 is more
specific than the corresponding JWS and JWE steps, and so was not removed.)
The validating steps are necessary because JWT adds two things beyond JWS and
JWE: First, the contents can be either a JWS or JWE, and so there’s logic
described for the slightly different actions taken in the two cases. Second,
the JWT can be nested, so the logic for nesting and detecting nested JWTs is
defined. It *does* just rely on JWS and JWE for the creation and verification
aspects of the JWS and JWE aspects of JWTs.
Both “typ” and “cty” were reworked when their values where changed to MIME
types, reducing duplication.
4. Hardly anyone pronounces JWT as "jot" -- it is usually spelt out -- so drop
the sentence in the abstract suggesting the "jot" pronunciation.
Your experience may vary, but in in-person conversations, it’s usually
pronounced “jot” in my experience. (It’s a lot easier to say than “J W T” or
“JSON Web Token” and people tend to like short names to say.)
5. Collision Resistant Namespace (section 2 "Terminology") mentions domain
names, OIDs, and UUIDs as examples, but fails to mention URIs, which is a
likely choice. Domain names will start colliding with "reserved" names soon
with all the new top-level domains. Should UUIDs use a "urn:uuid:" prefix, or
"uuid:", or no prefix? Should UUIDs only use lower-case hex digits (otherwise
duplicate UUIDs will look like distinct JSON names)? Should an OID be "2.5.4.3"
or "oid:2.5.4.3" or "URN:OID:2.5.4.3" or "commonName" or "cn"? Collision
resistant namespaces lose collision-resistance when you combine namespaces as
is done here.
As you suggested, domain names are now the first example mentioned. This was
also rewritten with input from Jim Schaad.
Could the reserved/public/private mess be simplified by saying (at the end of
section 4 "JWT Claims"):
A claim name can be any string. Using URIs as claim names is one
way to ensure claim names are unambiguous. Claim names that are
not URIs SHOULD be registered in the IANA Claims registry [section 9.1]
Then drop the last paragraph of section 4 "JWT claims" that starts "there are
three classes of JT Claim Names"; drop section 4.2 "Public claim names"; drop
section 4.3 "Private claim names"; drop the "collision resistant namespace"
term.
Calling out that there are three distinct classes of names has been valuable in
helping developers think about how to use claim names, in practice. In
particular, it lets us describe the benefits and drawbacks of each, helping
developers and deployers make reasonable choices for their application contexts.
At Jim Schaad’s suggestion, “public” was changed to “registered” and the
description changed to talk about this class of names being in the IANA
registry.
6. The docs says including a "typ" field is OPTIONAL. Even when present "typ"
can have any value since the two suggestions in the doc ("JWT" or
"urn:ietf:params:oauth:token-type:jwt") are only RECOMMENDED. Given this, there
doesn't seem to be anything a JWT recipient can usefully do with "typ". If it
tries to use "typ" it will just be incompatible with compliant JWT senders that
either omit "typ" or use another value. It would be better to drop section 5.1
"Type Header Parameter" entirely -- leaving any "typ" value definitions to
profiles that actually define processing for such values.
The description has been reworked to mostly just refer to the JWS and JWE
definitions. The URN usage was removed when “typ” and “cty” values were made
MIME type values.
7. The doc redefines the "cty" header parameter, which is already defined in
JWS and JWE (slightly differently in all 3 cases - argh). JWT uses "cty" to
indicate nested JOSE messages, which should be a JOSE feature as it is not
specific to JWT (hence "cty":"jwt" is a poor choice).
The description has been reworked to mostly just refer to the JWS and JWE
definitions. “cty” is not redefined; it’s use by JWT is specified.
8. [Editorial] "JWA signing algorithm" and "JWA encryption algorithms" are the
wrong phrases. These are JWS signing algs and JWE encryption algs that happen
to be specified in JWA.
The phrases "JWA signing algorithms" and "JWA encryption algorithms" were
removed.
9. Including a short description for each claim name in the registry would be
useful. Just a 3-letter abbreviation is not helpful enough. Eg add a Claim
description field:
Claim name: "nbf"
Claim description: not before
Change controller: IETF
Specification document: section 4.1.5. of [[ this doc ]]
This was done – both here and in the JOSE documents. Thanks for the useful
suggestion.
--
James Manger
> ----------
> Sent: Wednesday, 7 August 2013 7:20 PM
> Subject: [OAUTH-WG] WGLC on JSON Web Token (JWT)
>
> Hi all,
>
> this is a working group last call for the JSON Web Token (JWT).
>
> Here is the document:
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11
>
> Please send you comments to the OAuth mailing list by August 21, 2013.
>
> Ciao
> Hannes & Derek
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
