Re: [OAUTH-WG] Francesca Palombini's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)

Brian Campbell <> Wed, 14 April 2021 20:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0ABEC3A1F83 for <>; Wed, 14 Apr 2021 13:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lnbkCNhKC5Hy for <>; Wed, 14 Apr 2021 13:55:44 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 294393A1F7D for <>; Wed, 14 Apr 2021 13:55:43 -0700 (PDT)
Received: by with SMTP id f41so12098240lfv.8 for <>; Wed, 14 Apr 2021 13:55:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hbeiOGb5eic8F1eeQ0pkkErTvoZ5oIauVeiuc5qM1gA=; b=c+KSmYCd5eAOtD7x3j3GGHILN2ABYsKUek5OfiSmcnMpj5DwrfYPB296fjWX6FUmb/ Mygul3AWpulfBxrBRjfZN3qEVtZrfPEimLkWrreIn79m4J9TjHgPZ4uI7aM1pjoibl9C CSQVCF/+Uv6k4FNF3dMCeSeR/uYdFhtRszvvdPfXVDzvOfszGYYZLx1TZRPCJJyAyxps tyL3VlUUQ4NuFAN8tVhp+Cy5nXDJV5vnFRL1SEvmLtItYQxf5HuqrN79pqrCEMqVSu9o YLdOoQicb2GaSuhtaZQJk3Nta/mv0RnF5NOJC3VHZjtgWR1IFpK/2PCOJwvBVZzKoaaO z76Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hbeiOGb5eic8F1eeQ0pkkErTvoZ5oIauVeiuc5qM1gA=; b=qRxNgWck2CpROdO8UH9DmdwEuRSodh+01Q29M7/aLovr6ufWFbL8mpvvN7nT4BmHHz /7xfEztM/8wVPkDPT/ynFp0ZN336T0lc1kz0hXVaRb1gFdhnkrmlquyDRpmN5jTEqZa/ muCpNc2W8vhpY6+JtkGZmGbJjCIyII2VS2Zrlk3q42dWSuwd8G+ilpKgMt4s3Qf77Sn6 Iu7negauL9y1gCepxx4Ag/W887jqxUH7+NAO36prh5NSIqpz7Ph7ybCot1EoFrX8u4Og ji50GuCTr+v3muLNaMIqexpxOuk4OufyGCBveswNKVfhS0ae/LsQKu9l5j+WCQSC3FKK 0fFw==
X-Gm-Message-State: AOAM531uW5dQbWokZrfb1vwRhVtOL9UXy+hNw6l1zteDIxvFKImJpBIS sRtugmWwFwD10jIzcNlwUl9djIn7MkVUvS1zTdr6MyLmlnbkT6GvWOWMW0bkKSIB8aRh9RPcqU2 nuruZBDFuAtyGvg==
X-Google-Smtp-Source: ABdhPJxpBFwEuCtjAeeiNaoUj7OSJIIbDD6+IXa97mKHOVX327B51nGG2XMFgTJnwpLtBzKyCxRLrjIu442LaMP2Sas=
X-Received: by 2002:a05:6512:1318:: with SMTP id x24mr47165lfu.376.1618433741564; Wed, 14 Apr 2021 13:55:41 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Wed, 14 Apr 2021 14:55:14 -0600
Message-ID: <>
To: Vittorio Bertocci <>
Cc: Francesca Palombini <>, The IESG <>, "" <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000424b2705bff4f828"
Archived-At: <>
Subject: Re: [OAUTH-WG] Francesca Palombini's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Apr 2021 20:55:49 -0000

On Wed, Apr 14, 2021 at 1:19 AM Vittorio Bertocci <vittorio.bertocci=> wrote:

> >     3. -----
> > [...]
> Formally, I agree that JOSE would also work. The choice of media type
> derives from There is
> no functional difference between JWS and JWE in the intent a client has
> when calling an RS, here there's not much to be gained in using different
> MIME types for those cases. Furthermore, whereas developers are familiar
> with the term "JWT", both from direct use and thanks to the popularity of
> OpenID Connect (which does use application/jwt), terms like JWS, JWE or
> JOSE wouldn't be as promptly understood as JWT. Throughout the discussions
> in the last couple of years, the consensus on the use of at+jwt was solid-
> my hope is that will make intuitive sense for implementers, too.

I think the use of 'at+jwt' was also (or even primarily) motivated by
explicitly typing per the JWT BCP as a means of
preventing Cross-JWT Confusion

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._