Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Hi David, I am not referring to RFC 7519 (JWT) but to RFC 8259 (JSON). I-JSON (i.e. Internet-JSON) mandates the uniqueness of claim names in an object (as well as JWT). RFC 8259 does not mandate uniqueness. Denis From JWT RFC 7519, section-4: The Claim Names within a JWT Claims Set    

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

From JWT RFC 7519, section-4: The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 ("The JSON Object") of

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Hi Watson, The word "semantics" is not present in RFC 8259. I looked for the word "unique" in RFC 8259. There are three occurrences of that word in clause 4. Objects, in particular: The names within an object SHOULD be unique There is indeed a "SHOULD", but not a "SHALL". If there

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Attackers do not stick to the rules. It sounds to me like one of the security considerations for any standard that employs json, or any other structured data language, is to ensure that the input is validated to be compliant. I have been in the position of trying to enforce type checking on

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

On Mon, Oct 2, 2023, 11:56 PM Denis wrote: > > Hi Justin, > > Your premise relies on a feature of JSON that does not exist. JSON does not > provide well-defined behavior for repeated names within an object: > > When the names within an object are not > unique, the behavior of software that

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Hi Justin, Your premise relies on a feature of JSON that does not exist. JSON does not provide well-defined behavior for repeated names within an object: When the names within an object are not unique, the behavior of software that receives such an object is unpredictable. You should also

Re: [OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

Your premise relies on a feature of JSON that does not exist. JSON does not provide well-defined behavior for repeated names within an object: When the names within an object are not unique, the behavior of software that receives such an object is unpredictable. From:

[OAUTH-WG] Reservations and observations about draft JWT and CWT Status List

The latest draft (i.e. draft-looker-oauth-jwt-cwt-status-list-latest) which is available at : https://vcstuff.github.io/draft-looker-oauth-jwt-cwt-status-list/draft-looker-oauth-jwt-cwt-status-list.html includes the following illustrative drawing: +--++---+