[OAUTH-WG] draft-ietf-oauth-status-list: separate URIs for JWT & CWT
"Manger, James" <James.H.Manger@team.telstra.com> Tue, 10 June 2025 03:01 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8E48732F7165 for <oauth@mail2.ietf.org>; Mon, 9 Jun 2025 20:01:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkwRetx5CuIX for <oauth@mail2.ietf.org>; Mon, 9 Jun 2025 20:01:35 -0700 (PDT)
Received: from MEUPR01CU001.outbound.protection.outlook.com (mail-australiasoutheastazon11010041.outbound.protection.outlook.com [52.101.152.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D151932F70F4 for <oauth@ietf.org>; Mon, 9 Jun 2025 20:01:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YsLni8qgyFradgqjrwysGAM12pduC06t3NOQWYHVcAXVD5qIGLoYNt+K26pDrrWWmHkU1L/0uUjZGNE3M+iX+ceRdo+T5GaKIGUfctCEdVu/5E/YStEdbpx8kcUiTg7VJRVlxxxdjMI0nHDqTyli3Tf2l9KYbiDchCixDrKwy0nUSiG/h9YVyWw6BrtiBkrUNUKRa9Fy9n4Z50BcW5srMX3W8Qz00eObnz1cyu1XJypjssPhDB5yOX+GPrZGGSaIgOovJHVbMzuhe5ScRv2pTxT1vroyEKRTC73NmwZONnGXrytx29B/xOOvFr9xnicrwwcTOz90RZoPyafyEQLQpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JbeoNU3v6m4Yp953aHWa/cHGY9dzkpb4T21OrHmP95E=; b=x4BXVQwd7BMgWbkaLWaA0mTROUEP2uhVh36+ADmIvvQKgEkXwg3BhLsa819blqiIIcsKs6k4P8TKRrAYGtwWE6+GGpMTnjxMk6EcRu9kpm9AXB8fvP/5mfQXzgyKIEOv0A53trTlCuAWUOkXXj4mbUwVOPYmHTIbezV9d4/Fj3rfCQv31TysMNQnZKNpYu8WBqAJLjlfCUIbDX5gFExVZwb+dYYEa9hIH1/yXTsuWymetj5qZP4EvRrU2O9gF+rRRvCktHlvorYepQEBBMq9TSWVJ7c2lMWs+CO6+NpX+mnX8f0/+HGG8+VA08fYT3oLPOs3F4CNx0YfhNDrFgJdSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JbeoNU3v6m4Yp953aHWa/cHGY9dzkpb4T21OrHmP95E=; b=uvl/lucKSnfsHUMGtKaMWqqtzaR3xk/lfEOg/sKmrEM4ts6Znr0N/9px713tbQCE9b/CWENMu12uhDh5O+nnKQZXMfeVbBjTueXCVEzVOmfnNW3S1+6WLK2vb0bQT0OIZ5eCFJidbAhbVam5NbFCiYV05KxCvUrP2KFsktRT8b0=
Received: from SY4PR01MB8517.ausprd01.prod.outlook.com (2603:10c6:10:19f::11) by SY8PR01MB8689.ausprd01.prod.outlook.com (2603:10c6:10:22b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8813.31; Tue, 10 Jun 2025 03:01:29 +0000
Received: from SY4PR01MB8517.ausprd01.prod.outlook.com ([fe80::9070:269c:7b3c:c2bf]) by SY4PR01MB8517.ausprd01.prod.outlook.com ([fe80::9070:269c:7b3c:c2bf%6]) with mapi id 15.20.8813.024; Tue, 10 Jun 2025 03:01:29 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: draft-ietf-oauth-status-list: separate URIs for JWT & CWT
Thread-Index: AQHb2aoMTtrVfVMEHE2tdiuKnf6BrQ==
Date: Tue, 10 Jun 2025 03:01:29 +0000
Message-ID: <SY4PR01MB8517FE4B44351338770E2FDCE56AA@SY4PR01MB8517.ausprd01.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-AU
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f4ab56b7-6ec4-4073-8d92-ac7cc2e7a5df_Enabled=True;MSIP_Label_f4ab56b7-6ec4-4073-8d92-ac7cc2e7a5df_SiteId=49dfc6a3-5fb7-49f4-adea-c54e725bb854;MSIP_Label_f4ab56b7-6ec4-4073-8d92-ac7cc2e7a5df_SetDate=2025-06-10T01:50:32.2080785Z;MSIP_Label_f4ab56b7-6ec4-4073-8d92-ac7cc2e7a5df_Name=mipsl_General;MSIP_Label_f4ab56b7-6ec4-4073-8d92-ac7cc2e7a5df_ContentBits=0;MSIP_Label_f4ab56b7-6ec4-4073-8d92-ac7cc2e7a5df_Method=Standard
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=team.telstra.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SY4PR01MB8517:EE_|SY8PR01MB8689:EE_
x-ms-office365-filtering-correlation-id: 0fb6fb66-fc7a-4448-fad1-08dda7cb18bf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|7093399015|366016|1800799024|10070799003|376014|8096899003|38070700018;
x-microsoft-antispam-message-info: k+IZmFcYGDKdmynfY1on61EuJIgAK+ycXcg7OiPH0UVYHuNiQ8xnw0ExUSqc3tX6gfJ9OxAV0xFyqgD8A88MSH7vl1PTcgmkkXCQ+uXP0yyNxt40G4U7+KoioT7jvOQYssfvq7c4pWzvV4jiqUVqqdjJeSzdDlt62/zcH4zfdfsYxT42BKlv0PIl6K1WzQQFn82j6eNoEPAfaV6G3IeNeRCSi3+1JBlJ/yh2CDvmJB+TGCLGoltT8h6qQN3zwLhBtA79tS5YjoGVhBSex31riE6eaC/7fsRKNu/EuMRRCFjDWJoU7WHQ1vLGbdP4GMUNracFB6DIlemUdPfl6cEIb/9zVV8fQyNeykgMXTzPDGFquHDq+Ts+3nXJ9HYbxxk/+OoKc4N7qRrQIVIU8dVJ/FvnRrPgiSnUy5IBDmjfQL6n+qvl9/GCu52kJgS0qEXwV4QFEnpqTdHXLNI8OfqiBwwh9Bg124Wfie7iRYN9eb8kjLyfOmxHIKPxNjD9lkeKFe8eCwSTSnhi3He9VnEKhnLtuGhQHKSg2XUDJYS501T2ywkj8YL7js3n7kmp0pr8TMNH7giA0l9RkLfw0/13aMh57YB1DaEiSrhXZqyjSygHQ8J/ONSq8E13nrFyYwQUFv0UHRwoMmR9m30anRvb15iCvXMBnExGgbI1VP1FvtWxB/rG5wtx48RDeN54Hz7GKFh2WcGxCgEKhCCO5ZjTdvRNXFsDXtE0woCnI1497H2xGj4ny4cJuPWUoIxY4GCExAuTLMKHgl03NaB/7BcgMrf81xkBL+RpqZcGHqSNXsKsFnOxzJhfpVNnEvaC/tjK9UchYTBA3F60Jexj9RKtrfVAjQzonEKg/NrelA6vy5g+xbaHmo+VgZ+1EVQiD0mQUpb3OX2KGvOJrboo709NC8fXNcxYBOYbU4GwtF5SPEnCH7c3S+dpVJmBMoT51pcs5z77rE5l8Z5iRyu/oA9Ct0+40jcz0BGnZ+0s9D72DtILmRnQCvXqQSUuGegZUMKYnfX5hm2ekQze6BSLV+lZNjXgr1/u/iJv5KGQkilfN8ok/LUg3DTyKCWlYyv0g54qDjqPk5ptO6Rb8Hev/SDiZ3j6A5jqpucfvpGMEpZWEwDI9Edlf6bX6cNWIpb7uWya2BcawDo1sc+GPI/fUEnRZ6nl7hZFnF6czas2DOVvICqQnmUPOUGtcVgdr5C/ehr7mWdgLk98ImJCNx7/WA9m4lrzKT0u8gFlexlTWq0U8BWQakb9rPIIKVyEKCqK+RzQy6GO4SVupLChqa9ZtxWRvwkaFNLXwa7EZ8KC7gq51r9+47QGr06h/QsrXzpQSumlSChCEqnA9xEDiz3CwfcLigS/odjs5oRiJrn2bPL7aAqP4tiAsTw8nZCkltDeBAykCKZzWU+Yu6gHLnAiy0YoMVHnmCVl3SO+6iv/4L/wROVz3qz+cYdoDOuJrCTgjqT6fqzvKevH+strv1MrNzyeqQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SY4PR01MB8517.ausprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(7093399015)(366016)(1800799024)(10070799003)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: cCIk0bXwGz00lLWASv6fOgJjqCaY+4G4bmVn+ZjFKyUBqTV/W+7kscuONNn0XQ1hKIVSzXPMQ8PDpZEv3rpXKw2tZgGFWUsMNu/CCqMB9yKs1sNUzKXa6ngNy2kEyHNVeUbwN1crgIBqp+NwdOroug/mMw76h/+8v0m1dvChHFKIsXJzOUsl653WAfx7wTSLe0rgmtmlta4zYWRvL2ylgeojpHwKiccqdPya9kzg5AEWsqWABeV8Hvbplytw8BLZey1ueg4hfVrulCy2SMD8NOZz2dMmQVBH/ugkou0dDpu2Kf3sL60V4jjqz+t3EccHtC5WxBAluonCJpS2bafwDwKs2iYOKr2GMKT4zmPG//MjnR0QYejdwBQdo80F3Z3fNscYQlGKJ4UhiDzgTMi/T4SQ0JvwZ/931ccfDJ+GHPAWXBv3qiqarSVuSB6cCOB3lH5G0rJuqqD1vrpzZNoKxuCpl4Lw/0//AaMIhDi2wnAgKB2ustJYLJi1xm8blhHoH5AFtp5Ci/zII5RGHA/gEBEGvcFgLGZX51a1h1hGBAuNipq4NZJHNMFIIRWRNyMxrp53HPUoOCE1CvYgLv9gVN5Z8J5BW/9WQfHI3GBL29XofVfUBA40x8xwbM8CYkzqyZeOnPQ1Yp/wAltLS6v1GDHA6tb6kIBNGRZczICog5blCk1YCUYt4m3LT7uXaa0kau1RIC0JY8qdUkaG7ev8SnEogAVHADxiOlPXY33csJvx3Kz7pFXLbNkjwGfqfukXOOaC56oFf0filtHadE8k+llalWx7eg82HcvT2J0NNpjiiZNiq4MobyHuKAYrd6XopW8v5EG+laPRyvfV3VJVkjKpJwnEAwZ8FSN/jLlAhMdAu9oUEGwc8Bryec49pFhuFWGY0VZfu7enHr2KWc6JXUCS6zolyKo+xwOPsjvDL0sjWJUQ+dyRw6hj4SZRDtPYNtgyodzh7C/g2QD3CP4VhJ4ggm+DjCAZzKOgC3Gr90gF1+NQ9cJqAneNaoO7ft2xMShZkbW81kk3+yAbgRXYNZolh/qN/vhyVkwSZwYMbOPUzWZN81ksTbcYFaronVRdmZDGQRJsu4FBngV/tqTsWGeYNbNlupsQhQfwP+8iJujxxNUu9bPygh3iO9IZQYdKiP1emma5oxAl7p9TphMDFqxGb5MwW7j4tdlNIcr5nZsPIOBsLHrRnc3bHD+OA15l3toXHGbl6cnpwNGutLq8mKdwdXOccaohRydytdPX9Zl5tc1OxnTb5WJpawqQ7vJq6NlW8QyclzjWqBbt7mvu5+PZsedcWd/mbp/NDAdUfdgdH1veX6EVvoQuLPCwMmDBwqZrJSQ6rtoX2D24QbV9JaPc0riskK5c9Yp3eVruozx1N/lnHx/NcCn/HZEcWYo5jN/m/o9M9Un88sTExkmwdqPLHlp35K2bSs83mZkPV6HBNZnrK11onWS0eTlobSMCqdPGb+IfV8knRp5kk0z5CW3If535Q2IXIVgXvvm9EMv3y0GZ0PyWtXz/lRigbfvh0P1zABeC1UrGHu40Ms1xN57pblN/1pqlt/IMfSvA9szMHBogqKyLTTlmYkBl8FkIdED/Nb90fYg1ScolPhK0PULDi82GKfQXtw3MzzBSAoutnhkpP7MxgLgOLP0qqsk48OleLreKLpd0P6EfpUzFKb7xJvHmaEReZTMo+jwZbOoquE3IpQEHUag8y896ncKs
Content-Type: multipart/alternative; boundary="_000_SY4PR01MB8517FE4B44351338770E2FDCE56AASY4PR01MB8517ausp_"
MIME-Version: 1.0
X-OriginatorOrg: team.telstra.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB8517.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0fb6fb66-fc7a-4448-fad1-08dda7cb18bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2025 03:01:29.1377 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zYbuP0pbiv4QFq3hlFhUtbUjpLhQmmKtKi4Z4nV0tignZvGGxNDbeR3VbJksHSS5k98Sd5WqiPFbFscCicE+y4Po74/XjgztCJh7Xt+sakg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY8PR01MB8689
Message-ID-Hash: L7OJ7IVIBUQ4LC3EKCBLN7K6OUL6ZMRS
X-Message-ID-Hash: L7OJ7IVIBUQ4LC3EKCBLN7K6OUL6ZMRS
X-MailFrom: James.H.Manger@team.telstra.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] draft-ietf-oauth-status-list: separate URIs for JWT & CWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A6g7CUPZjG7KjozoNrTaEdietWI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
draft-ietf-oauth-status-list offers 2 formats or status list tokens: JWT (JSON Web Token) and CWT (CBOR Web Token). But only provides 1 “uri” field. That’s annoying; not developer-friendly; and unnecessary. I suggest defining 2 fields: “jwt_uri” and “cwt_uri”. At least one must be present. 1 URI can “work” theoretically, but only if all clients and all servers always use the Accept HTTP request header to do content-negotiation. That complicates all parties. It means you can’t just paste the URI into a browser. You can’t use the simplest HTTP GET method that every programming language offers. Caching … who knows. Perhaps the worst part is that 1 URI will mostly work even for clients that use a simple get(uri) method and don’t bother about the Accept header. The URI in a JWT will return a JWT (the URI in a CWT will return a CWT). The client will assume the result is what they expect. Then some issuers will require content-negotiation; some clients will break; those clients will be “at fault”, but issuer may need to hack their content-negotiation for interoperability. Better to offer 2 explicit fields for 2 explicit formats. — James Manger General
- [OAUTH-WG] draft-ietf-oauth-status-list: separate… Manger, James
- [OAUTH-WG] Re: draft-ietf-oauth-status-list: sepa… Christian Bormann
- [OAUTH-WG] Re: draft-ietf-oauth-status-list: sepa… Manger, James
- [OAUTH-WG] Re: draft-ietf-oauth-status-list: sepa… Christian Bormann