Re: [OAUTH-WG] [COSE] Consensus Call: Adoption of the COSE Token

Erik Wahlström neXus <> Fri, 04 December 2015 21:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A90FC1A8B84; Fri, 4 Dec 2015 13:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.309
X-Spam-Status: No, score=-2.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0bFWnDbI7_ZE; Fri, 4 Dec 2015 13:05:49 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 904BB1A8AEA; Fri, 4 Dec 2015 13:05:48 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.995.29; Fri, 4 Dec 2015 22:05:45 +0100
Received: from ([fe80::1d3d:b319:f020:2bab]) by ([fe80::1d3d:b319:f020:2bab%12]) with mapi id 15.00.0995.032; Fri, 4 Dec 2015 22:05:45 +0100
From: Erik Wahlström neXus <>
To: Kathleen Moriarty <>
Thread-Topic: [COSE] Consensus Call: Adoption of the COSE Token
Thread-Index: AQHRGTKb6mzibdroQ0aWbiONihL/Fp6mw9kAgAHRn4CAAEgoAIASjksA
Date: Fri, 04 Dec 2015 21:05:45 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US, sv-SE
Content-Language: en-US
x-mailer: Apple Mail (2.2104)
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C1C044D142DA443DB97243CFF444733Bnexusgroupcom_"
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>, "<>" <>, "" <>
Subject: Re: [OAUTH-WG] [COSE] Consensus Call: Adoption of the COSE Token
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Dec 2015 21:05:52 -0000


We just submitted an updated version of the CBOR Web Token (CWT) to the ACE WG repository. The new version references the JWT claims. Name is also kept to CBOR Web Token to make it clear it’s derived from JWT and uses both claim names and formats.

/ Erik, Mike and Hannes

On 23 Nov 2015, at 02:43, Kathleen Moriarty <<>> wrote:


Looking across the three WGs, there are good arguments for doing the work in each, but ACE would be the best WG for a few reasons.

COSE is supposed to be short-lived, let's keep it that way.

OAUTH has a full plate, although they tend to be very productive.

ACE has just become more focused and I think this could fit well once the OAUTH solution work is underway.

There's enough overlap for this to happen in any of the WGs.

Thanks for the discussion, I was waiting to chime in until it was hashed out a bit to see if there was any overwhelming consensus without influencing the outcome.  Now that it has quieted down, ACE is probably the best plan.


Sent from my iPhone

On Nov 22, 2015, at 4:25 PM, Erik Wahlström neXus <<>> wrote:


Yes, we have a draft posted in the OAuth WG for a CBOR Web Token (CWT).

We want to keep it there and reference the JWT claims (also defined in OAuth WG) and later add attributes needed for authentication and authorization for IoT to JWT/CWT in ACE WG.


On 21 Nov 2015, at 18:39, Justin Richer <jricher@MIT.EDU<mailto:jricher@MIT.EDU>> wrote:

Reading through the threads an opinions, there is no clear consensus as to where the work should be done. There is roughly equal support for doing this in any of the three offered working groups.

There is clear consensus that it should be done and that, as much as possible, it should be a direct map of the existing JWT payload object and common claims.

In this light, someone needs to just start the work as an individual draft and push forward, and whichever working group most wants to can pick it up and publish it. I have no qualms on accepting this work within the COSE working group and I believe there is enough support to warrant that placement if an author submits a draft here (and this remains my preference as an individual), but I will not object to another group picking it up.

I believe, with all of the overlap between groups, that we will have no trouble getting the “right people” to look at it. Additionally, it is clear that it will be very beneficial to have formal reviews from all three groups once the draft has reached a mature status.

Thankfully, Erik has already done this with his “COSE Web Token” draft. He’s initially targeted this at the OAuth working group, and the work started in ACE, so I call to the author to pick a location and run with it.

— Justin, your COSE chair

On Nov 7, 2015, at 3:01 AM, Justin Richer <jricher@MIT.EDU<mailto:jricher@MIT.EDU>> wrote:

At the Yokohama meeting, the chairs agreed to do a consensus call regarding the adoption and placement of new work to define a COSE Token, analogous to the JWT from JOSE. In the room, there was a general sentiment of support for the work being done, with the wide adoption of JWT and its driving of JOSE being a common theme of precedent. What wasn’t clear is where the work should be done and to what end it should drive. The six positions we are asking the working group to consider and voice their support for are:

A) Define the COSE Token within the COSE working group along side the COSE Messages (and potentially COSE Auxiliary Algorithms) draft.
B) Define the COSE Token inside the OAuth working group.
C) Define the COSE Token inside the ACE working group.
D) Don’t define the COSE Token anywhere.
E) You need more information to decide.
F) You don’t give a flying rat about the COSE Token.*

The consensus call will remain open for two weeks from today, closing on November 21, 2015; at which time, hopefully we will have a clear answer and direction to point this work.

Thank you,
— Justin & Kepeng, your COSE chairs

* I promised those in the room at Yokohama to offer a flying rat option, for which I am deeply sorry.
COSE mailing list<>

COSE mailing list<>

COSE mailing list<>