Re: [OAUTH-WG] Please review draft-ietf-oauth-json-web-token
prateek mishra <prateek.mishra@oracle.com> Wed, 07 November 2012 15:16 UTC
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB4021F8BB1 for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2012 07:16:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9w16d5OKxTt for <oauth@ietfa.amsl.com>; Wed, 7 Nov 2012 07:16:38 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7620E21F8BAE for <oauth@ietf.org>; Wed, 7 Nov 2012 07:16:38 -0800 (PST)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id qA7FGZdh020247 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 Nov 2012 15:16:36 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id qA7FGYM7009082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Nov 2012 15:16:35 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id qA7FGXUt013612; Wed, 7 Nov 2012 09:16:34 -0600
Received: from [192.168.1.2] (/71.184.95.145) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 07 Nov 2012 07:16:33 -0800
Message-ID: <509A7B47.8050308@oracle.com>
Date: Wed, 07 Nov 2012 10:16:23 -0500
From: prateek mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: oauth@ietf.org
References: <7C0172BC-1D34-4C96-9220-0496BF14B262@gmx.net>
In-Reply-To: <7C0172BC-1D34-4C96-9220-0496BF14B262@gmx.net>
Content-Type: multipart/alternative; boundary="------------040707070203090209050604"
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Subject: Re: [OAUTH-WG] Please review draft-ietf-oauth-json-web-token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2012 15:16:39 -0000
Hannes - here a couple of comments on the 05 draft -
(i) Section 4 -
[quote]
Note however, that the set of claims that a JWT must contain to be
considered valid is context-dependent and is outside the scope of this
specification. When
used in a security-related context, implementations MUST understand and
support all of the
claims present; otherwise, the JWT MUST be rejected for processing.
[\quote]
I am not sure what is being stated here. I understand the general sense
of the paragraph but I found the
two sentences to be contradictory. The second sentence is also very
strong - suppose we find
some private claim in a JWT that the recipient is unable to understand -
perhaps an optional
attribute-value pair - MUST it then reject the token?
(ii) Section 6 -
[quote]
A plaintext
JWT is a JWS using the "none" JWS "alg" header parameter value
defined in JSON Web Algorithms (JWA) [JWA <http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-05#ref-JWA>]; it is a JWS with an empty
JWS Signature value.
[\quote]
It is later clarified that by "empty JWS Signature value" the draft
means "empty string". That could
be added as a parenthetical remark at the end of the sentence. I
actually spent some time looking
up the term "empty JWS Signature value" in the JWS specification.
Thanks,
prateek
> Hi all,
>
> you may have noticed that the JOSE working group had made good progress with their work and they are getting closer to a WGLC. This is a good point in time for us to review the JWT spec (see http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/). Please read through it in preparation for the meeting.
>
> It would be good to hear who has implemented it and whether there is feedback on the document. Given the OpenID Connect interoperability tests there seem to be lots of implementations.
>
> We would like to start a WGLC as soon as the WGLC for the JOSE documents starts.
>
> Ciao
> Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Please review draft-ietf-oauth-json-we… Hannes Tschofenig
- Re: [OAUTH-WG] Please review draft-ietf-oauth-jso… prateek mishra
- Re: [OAUTH-WG] Please review draft-ietf-oauth-jso… Mike Jones
- Re: [OAUTH-WG] Please review draft-ietf-oauth-jso… Mike Jones