IETF Logo Mail Archive

Re: [OAUTH-WG] JSON Web Token (JWT) Specification Draft

David Recordon <recordond@gmail.com> Mon, 27 September 2010 13:54 UTC

Return-Path: <recordond@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C36E3A6BB0 for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 06:54:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.48
X-Spam-Level:
X-Spam-Status: No, score=-2.48 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFUwINBZc85Z for <oauth@core3.amsl.com>; Mon, 27 Sep 2010 06:54:52 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id 76A5D3A6B38 for <oauth@ietf.org>; Mon, 27 Sep 2010 06:54:51 -0700 (PDT)
Received: by pwi3 with SMTP id 3so754900pwi.31 for <oauth@ietf.org>; Mon, 27 Sep 2010 06:55:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=rDkXI1t3Ns3kns0UPPvuuXW9yVUtxTRu5I7P5Kw95Y4=; b=dBH8/aahryd+ytHvUFRwjKpA95xjVcW2HsKZVVUtYRkS8HXxyWsjYt1LI5f2VKCYVA HknWmtw7Bzl2+2E8Xz1sFBtQd04O3j79labNPcXSaAv5H3giMiCJD9b9ZDCFp/KRxr0m I0y7Qf4C274IWt3XmK7EFCUyYOlPDYSDzUqvM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=frL4Of880o5kpmwgaj08+INEzeikF00qQ+8rgP716JxY92PY2FcXr5aCK+UYcAZKCD Q41zZyUmq/mqbxtQ9SA6Jo+4osmtWw2QJG2GFhVrxTFiBlPXBgLaG2OOBYmZeeGCIttk ZwE8gEzVCLcqNzHAFsJ3JIvPj6n35ryboExvg=
MIME-Version: 1.0
Received: by 10.114.38.8 with SMTP id l8mr8537338wal.85.1285595730213; Mon, 27 Sep 2010 06:55:30 -0700 (PDT)
Received: by 10.231.195.159 with HTTP; Mon, 27 Sep 2010 06:55:30 -0700 (PDT)
In-Reply-To: <4E0C8F8A-15CE-47DF-B58D-A53C5FFB14A4@gmail.com>
References: <4E1F6AAD24975D4BA5B168042967394313F95E5F@TK5EX14MBXC202.redmond.corp.microsoft.com> <9B677A76-F163-4542-B898-EFAF612D936B@gmail.com> <4E1F6AAD24975D4BA5B168042967394313FBA71C@TK5EX14MBXC202.redmond.corp.microsoft.com> <4E0C8F8A-15CE-47DF-B58D-A53C5FFB14A4@gmail.com>
Date: Mon, 27 Sep 2010 06:55:30 -0700
Message-ID: <AANLkTikQEHWPVXr=PqYkCa1ezRMPGWj+hZ2eT0b37VQN@mail.gmail.com>
From: David Recordon <recordond@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="00163645928cd3011704913e14ea"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Specification Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 13:54:59 -0000

I thought the discussion from June had most people not
needing encryption and an extra envelope. Given how Mike wrote this spec is
seems like supporting encryption with an extra envelope is possible, but
shouldn't be required if all you're doing is signing.

On Sun, Sep 26, 2010 at 9:55 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

> Don't put the signature information in the token, put it in a separate
> component (an envelope) that describes how the token is either signed or
> encrypted. See discussion from June:
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg03211.html
>
>
> On 2010-09-26, at 9:20 PM, Mike Jones wrote:
>
> I’d be open to a proposal for also supporting encryption.  The draft was
> intended to be a starting point for productive discussion – not a finished
> product.
>
> Your thoughts?
>
>                                                             -- Mike
>
> *From:* Dick Hardt [mailto:dick.hardt@gmail.com]
> *Sent:* Sunday, September 26, 2010 9:17 PM
> *To:* Mike Jones
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] JSON Web Token (JWT) Specification Draft
>
> Did you intentionally decide not to support encrypting the token?
>
> On 2010-09-23, at 5:22 PM, Mike Jones wrote:
>
>
> Recognizing that there is substantial interest in representing sets of
> claims in JSON tokens, Yaron Goland and I have put together a draft JSON Web
> Token (JWT) spec for that purpose.
>
> To answer the obvious question, while this was produced independently of Dirk’s
> JSON token proposal<http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html>,
> both of us agree that we should come up with a unified spec.  Consider this
> an additional point in the possible design space from which to start
> discussions and drive consensus.  (If you read the two proposals, I think
> you’ll find that there’s already a lot in common, which is great.)
>
> Thanks to those of you who have already given us feedback to improve the
> draft prior to this point.
>
>                                                             Cheers,
>                                                             -- Mike
>
> <jwt.html><jwt.xml>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email