Thanks for the candid feedback, Bob. I agree that the specs can be more
clearly delineated and I'll make that an editorial goal in the next round of
revisions. In particular, I agree that a non-JWT example should be added to
the JWS spec.
I intentionally kept complete JWT examples in the JWT spec, including examples
of the actual signing computations, so that people can verify that their JWT
implementations are compatible with these values. But I'd be open to input on
how complete these examples should be, versus those in the JWS spec (which
describe all the signing steps in full detail, unlike the JWT draft).
-- Mike
From: Bob Gregory [mailto:[email protected]]
Sent: Tuesday, April 05, 2011 9:10 AM
To: Mike Jones
Cc: [email protected]; [email protected]; [email protected];
[email protected]
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Draft -04
Hi Mike,
I'm going to start implementing draft 4 in the near future. At a cursory
reading, I'm concerned that splitting the specifications has not simplified the
language, rather it has confused the specification, and introduced
generalisation where there were formerly simple, specific cases.
If the long-term intent is that JWS and JWE should form composable operations
for signing and encrypting content, while JWT specifies a payload format, then
the specifications should be more clearly delineated. The current JWT draft
makes repeated references to headers and signatures, and includes an appendix
entry giving examples of signing. If JWS is the specification for signing, then
the JWT draft should drop these sections.
JWT then becomes a teeny-weeny specification consisting of an overview, a table
for reserved claim names, the rules for verifying those claims, and some notes
on creating custom claims.
Likewise, if JWS is intended to be a general mechanism for signing messages, it
would be preferable to see examples in the JWS spec which do not refer to the
JWT spec. Simple strings, or base64 encoded binary would make better examples
for JWS, without coupling the two specifications together.
As it stands, it's impossible to implement JWT without continual
cross-reference. It's much harder to gain a sense of how an implementation
ought to hang together than it used to be.
It's still possible for Jwt4net to be a compliant implementation of JWT without
supporting a generalised JWS implementation, but checking compliance is going
to be much harder. I think the next steps for the library, once I've fixed a
couple of glaring holes, will be to refactor out a full JWS implementation, and
treat JWT as a special case, but that adds accidental complexity to what was a
relatively simple library (barring my own over-complication through stupidity).
I'm still a big fan of JWT as a standard, but I think the current spec language
is a step backwards for implementation.
-- Bob Gregory
On Wed, Mar 30, 2011 at 4:37 PM, Mike Jones
<[email protected]<mailto:[email protected]>> wrote:
Thanks, Bob. That's great to hear!
I look forward to your feedback on the spec based upon your actual use.
-- Mike
From: Bob Gregory [mailto:[email protected]<mailto:[email protected]>]
Sent: Wednesday, March 30, 2011 8:36 AM
To: Mike Jones
Cc: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Draft -04
I've just uploaded a .Net implementation of JWT issuance and consumption to
GitHub @ https://github.com/BobFromHuddle/Jwt4Net
This is no way ready for public release, but is in use in a production system.
It's based on draft 1, and I'll try and update it to draft 4 compliance next
week.
We're intending to provide full coverage of the JWT spec as it matures, the
major block for us at the moment is the lack of a specification for the "jku"
key encoding scheme. Until that's decided, we're using .Net's default
serialization of private keys which is based on RFC 4050.
-- Bob Gregory
On Wed, Mar 30, 2011 at 9:57 AM, Mike Jones
<[email protected]<mailto:[email protected]>> wrote:
Draft -04 of the JSON Web Token
(JWT)<http://self-issued.info/docs/draft-jones-json-web-token.html>
specification is available. It corrects a typo found by John Bradley in -03.
The draft is available at these locations:
* http://www.ietf.org/internet-drafts/draft-jones-json-web-token-04.txt
* http://www.ietf.org/internet-drafts/draft-jones-json-web-token-04.xml
* http://self-issued.info/docs/draft-jones-json-web-token-04.html
* http://self-issued.info/docs/draft-jones-json-web-token-04.txt
* http://self-issued.info/docs/draft-jones-json-web-token-04.xml
* http://self-issued.info/docs/draft-jones-json-web-token.html (will
point to new versions as they are posted)
* http://self-issued.info/docs/draft-jones-json-web-token.txt (will
point to new versions as they are posted)
* http://self-issued.info/docs/draft-jones-json-web-token.xml (will
point to new versions as they are posted)
* http://svn.openid.net/repos/specifications/json_web_token/1.0/
(Subversion repository, with html, txt, and html versions available)
-- Mike
--
An infinite number of mathematicians walk into a bar. The first one orders a
beer. The second orders half a beer. The third, a quarter of a beer. The
bartender says "You're all idiots", and pours two beers.
--
An infinite number of mathematicians walk into a bar. The first one orders a
beer. The second orders half a beer. The third, a quarter of a beer. The
bartender says "You're all idiots", and pours two beers.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
