I propose that the following text be added to address your comment, Brian.
Does this text work for you?
When applying explicit typing to a Nested JWT, the "typ" header parameter
containing the explicit type value MUST be present in the inner JWT of the
Nested JWT (the JWT whose payload is the JWT Claims Set). The same "typ"
header parameter value MAY be present in the outer JWT as well, to explicitly
type the entire Nested JWT.
-- Mike
From: Brian Campbell <[email protected]>
Sent: Monday, July 17, 2017 10:53 AM
To: Phil Hunt (IDM) <[email protected]>
Cc: Mike Jones <[email protected]>; [email protected]
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing
Explicit Typing
Could some more guidance be provided around how to use the explicit typing with
nested JWTs?
I'd imagine that the "typ" header should be in the header of the JWT that is
integrity protected by the issuer?
On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM)
<[email protected]<mailto:[email protected]>> wrote:
+1
Thanks Mike.
Phil
On Jul 4, 2017, at 12:43 PM, Mike Jones
<[email protected]<mailto:[email protected]>> wrote:
The JWT BCP draft has been updated to describe the use of explicit typing of
JWTs as one of the ways to prevent confusion among different kinds of JWTs.
This is accomplished by including an explicit type for the JWT in the “typ”
header parameter. For instance, the Security Event Token (SET)
specification<http://self-issued.info/?p=1709> now uses the
“application/secevent+jwt” content type to explicitly type SETs.
The specification is available at:
* https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
An HTML-formatted version is also available at:
* http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
-- Mike
P.S. This notice was also posted at http://self-issued.info/?p=1714 and as
@selfissued<https://twitter.com/selfissued>.
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth