Re: [OAUTH-WG] Next Steps for the JSON Web Token Document

Brian Campbell <> Fri, 01 November 2013 19:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AFFDE11E811D for <>; Fri, 1 Nov 2013 12:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.847
X-Spam-Status: No, score=-5.847 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5lrwd61bjoma for <>; Fri, 1 Nov 2013 12:53:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4899B21F9FA4 for <>; Fri, 1 Nov 2013 12:53:36 -0700 (PDT)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID; Fri, 01 Nov 2013 12:53:36 PDT
Received: by with SMTP id aq17so8413192iec.34 for <>; Fri, 01 Nov 2013 12:53:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=04vhuw6zEfsyVyjmzHFIKxTMcjhpP0aP40tNj5bwHQw=; b=mmVp/8ISJYdRpMDzyT/sCctkzcCPyCRHa7bYka3ldj32fqtjP98NPZGSvsP1KYwc7k 8e73qn1lrNTCtbTLkinrD9isJOEnFSEpFvSEYAFYwtAqbHBTTFcdgHrjtK4PT/NpsClW ItdYljmBfndazCkoChDpceGwcJtwlAVlBZEZpVmY54I26zgTEVe6k/niNzrbu3zCxpIc 2lEKEtps4vE5G4tUlQgNynNjx5eikzZkmhCt/odcLi+3UVo5UVcjjmvwY4cnXxvvi/2V dqigc5hcY9iN7MRY7+CydJTN8c9EY4+x7nC2TkvTy6ZdjOEtmQlJcMZKAPi2HltYax9/ 0DMQ==
X-Gm-Message-State: ALoCoQm87woNLzLDIcBJevVZ2YxhDsfNZJ2D7XuuC0SyK504DtNCq4uIGIrRkK+8fDMjyLV+KMg2wmY/+NAaF0GcTlDlCeR3Prk84DkJfyVz1I3po1CELz4UD2G2KlBvlW3PZT0V4bUlX4PZZPxwRWWts0ckVamNKw==
X-Received: by with SMTP id x12mr3706431igp.41.1383335615765; Fri, 01 Nov 2013 12:53:35 -0700 (PDT)
X-Received: by with SMTP id x12mr3706424igp.41.1383335615608; Fri, 01 Nov 2013 12:53:35 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 1 Nov 2013 12:53:05 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Brian Campbell <>
Date: Fri, 01 Nov 2013 13:53:05 -0600
Message-ID: <>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <>
Content-Type: multipart/alternative; boundary="089e0158a8faf951f404ea22ebf5"
Cc: "" <>
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Nov 2013 19:53:43 -0000

I just saw
Hannes noting reviews on draft-ietf-oauth-json-web-token and was
surprised that mine wasn't included. So I went looking for it and
apparently I didn't actually send it to the list. But I did find it and am
including what I wrote and tried but failed to send back in September.
Sorry about that.

And here it s:

Below are my review comments on the JSON Web Token Document that I (had
forgotten until reminded by Hannes yesterday) committed to reviewing at the
meeting in Berlin.

Review of draft-ietf-oauth-json-web-token-11:

* The sentence about the suggested pronunciation being 'jot' is in both the
intro and the abstract. Seems like just once would be sufficient.

* Should "Base64url Encoding" in the Terminology section also mention the
omission/prohibition of line wrapping?

* References to sections or appendices in other documents often don't have
the correct href value.  For example, "Base64url Encoding" in the
Terminology section has this problem for Section 3.2, which should point to
RFC 4648 and Appendix C, which should go to JWS but both refer to the local
document. There are many other instances of the same issue. I assume this
is due to some tool in the xml2rfc or I-D upload process (and I know I have
it in some of the drafts I author) but is this the kind of thing that the
RFC editor will take care of?

* I continue to struggle to understand how the type and content type Header
parameters and the type claim can or will be used in a meaningful and
reliable way.  I can't help but wonder if it couldn't be simplified. For
example. what if we only had the cty header and defined a cty value for a
JWT Claims Set - couldn't all the same things be conveyed?

* There are a number of the reserved claims that say the use of the claim
is OPTIONAL while also stating that the "JWT MUST be rejected" if some
condition about the claim doesn't hold. There seems to be some potential
ambiguity here regarding whether (in the absence of tighter
context-dependent requirements, which is what generalized JWT libraries
need to be built for) the optionality applies only to the producer or also
to the consumer of a JWT. My guess is that the claims are optional to
include for the producer but, if they are present, they must be validated
by the consumer and the JWT must be rejected if whatever condition isn't
satisfied. Do I have that right? Regardless, I think there is some
ambiguity as currently written that should be clarified.

Note that some of these comments relate to or even apply directly to JWS
and JWE as well. Which I suppose underscores the point James made a while
ago about progressing this document so far ahead of the JOSE drafts.

On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo) <> wrote:

> Hi again,
> I also checked the minutes from IETF#87 regarding the JWT and here are the
> action items:
> ** I issued a WGLC, as discussed during the meeting:
> ** We got some reviews from James, and Prateek. Thanks, guys!
> Here are the reviews:
> (James)
> (Prateek)
>  During the meeting a few others, namely Torsten, Karen, Paul Hoffman, and
> Brian volunteered to provide their review comments. Please send your review
> to the list.
> ** I will have to do my shepherd write-up as well.
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list