cc'ing JOSE on a minor JWT review comment that might impact JWS/JWA. I agree that "plaintext” is not the most intuitive wording choice and that "unsecured" might better convey what's going on with the "none" JWS algorithm.
Mike mentioned that, if this change is made in JWT, there are parallel changes in JWS. But note that there are also such changes in JWA (more than in JWS actually). On Fri, Sep 5, 2014 at 6:28 PM, Mike Jones <michael.jo...@microsoft.com> wrote: > -----Original Message----- > From: Warren Kumari [mailto:war...@kumari.net] > Sent: Monday, September 01, 2014 3:40 PM > To: sec...@ietf.org; draft-ietf-oauth-json-web-token....@tools.ietf.org > Subject: Review of: draft-ietf-oauth-json-web-token > > I'm a little confused by something in the Terminology section (Section 2): > > Plaintext JWT > > A JWT whose Claims are not integrity protected or encrypted. > > The term plaintext to me means something like "is readable without > decrypting / much decoding" (something like, if you cat the file to a > terminal, you will see the information). Integrity protecting a string > doesn't make it not easily readable. If this document / JOSE uses > "plaintext" differently (and a quick skim didn't find anything about > > this) it might be good to clarify. Section 6 *does* discuss plaintext > JWTs, but doesn't really clarify the (IMO) unusual meaning of the term > "plaintext" here. > > > > I’ve discussed this with the other document editors and we agree with you > that “plaintext” is not the most intuitive wording choice in this context. > Possible alternative terms are “Unsecured JWT” or “Unsigned JWT”. I think > that “Unsecured JWT” is probably the preferred term, since JWTs that are > JWEs are also unsigned, but they are secured. Working group – are you OK > with this possible terminology change? (Note that the parallel change > “Plaintext JWS” -> “Unsecured JWS” would also be made in the JWS spec.) > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
