Last Call: <draft-ietf-oauth-jwt-bcp-04.txt> (JSON Web Token Best Current Practices) to Best Current Practice

The IESG <> Mon, 25 March 2019 15:29 UTC

Return-Path: <>
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id 370961203EB; Mon, 25 Mar 2019 08:29:46 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <>
To: "IETF-Announce" <>
Subject: Last Call: <draft-ietf-oauth-jwt-bcp-04.txt> (JSON Web Token Best Current Practices) to Best Current Practice
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.1
Auto-Submitted: auto-generated
Precedence: bulk
Sender: <>
CC:,, Hannes Tschofenig <>,,,
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Message-ID: <>
Date: Mon, 25 Mar 2019 08:29:46 -0700
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Mar 2019 15:29:47 -0000

The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document: - 'JSON Web Token Best Current
  <draft-ietf-oauth-jwt-bcp-04.txt> as Best Current Practice

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the mailing lists by 2019-04-08. Exceptionally, comments may be
sent to instead. In either case, please retain the beginning of
the Subject line to allow automated sorting.


   JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
   tokens that contain a set of claims that can be signed and/or
   encrypted.  JWTs are being widely used and deployed as a simple
   security token format in numerous protocols and applications, both in
   the area of digital identity, and in other application areas.  The
   goal of this Best Current Practices document is to provide actionable
   guidance leading to secure implementation and deployment of JWTs.

The file can be obtained via

IESG discussion can be tracked via

No IPR declarations have been submitted directly on this I-D.

The document contains these normative downward references.
See RFC 3967 for additional information: 
    rfc8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE) (Proposed Standard - IETF stream)
    rfc6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) (Informational - Independent Submission Editor stream)
    rfc7516: JSON Web Encryption (JWE) (Proposed Standard - IETF stream)
    rfc7515: JSON Web Signature (JWS) (Proposed Standard - IETF stream)
    rfc7519: JSON Web Token (JWT) (Proposed Standard - IETF stream)
    rfc7518: JSON Web Algorithms (JWA) (Proposed Standard - IETF stream)