Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

Carsten Bormann <> Thu, 12 November 2015 19:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EC1EF1B32EE; Thu, 12 Nov 2015 11:45:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.25
X-Spam-Status: No, score=-1.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZAZlbFix0uNu; Thu, 12 Nov 2015 11:45:12 -0800 (PST)
Received: from ( [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1FBDC1B32F0; Thu, 12 Nov 2015 11:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
Received: from ( [IPv6:2001:638:708:30c9::b]) by (8.14.5/8.14.5) with ESMTP id tACJj54u003493; Thu, 12 Nov 2015 20:45:05 +0100 (CET)
Received: from nar.local ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 3nxYL94qc1z2GC8; Thu, 12 Nov 2015 20:45:05 +0100 (CET)
Message-ID: <>
Date: Thu, 12 Nov 2015 20:45:04 +0100
From: Carsten Bormann <>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Erik Wahlström neXus <>
References: <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <>
X-Mailman-Approved-At: Fri, 13 Nov 2015 08:35:18 -0800
Cc: Hannes Tschofenig <>, "" <>, "<>" <>, "" <>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2015 19:45:14 -0000

Hi Erik,

having this draft is a good thing.

One thing I'm still wondering is what WG is the best place to progress
this.  We probably don't need to spend too much time on this because,
regardless of the WG chosen, the people in another WG can look at it.
Still, getting this right might provide some efficiencies.

What is the technical content of this draft?  Is it a new token that
OAuth needs specifically for the new COSE-based applications of OAuth?
Is it a new token that is specifically there for addressing ACE needs?
Or is it essentially the same substance as JWT, but phrased in and
profiled for CBOR?

Depending on the answer, CWT should be done in OAuth, ACE, or COSE.
(I'd rather hear the answer from the authors than venture a guess myself.)

Grüße, Carsten

Erik Wahlström neXus wrote:
> Hi,
> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined
> in the draft "Authorization for the Internet of Things using OAuth 2.0”
> [1]. We just broke out the CBOR Web Token into a separate draft and the
> new draft is submitted to the OAUTH WG. It can be found here: 
> Abstract: 
> "CBOR Web Token (CWT) is a compact means of representing claims to be
> transferred between two parties.  CWT is a profile of the JSON Web Token
> (JWT) that is optimized for constrained devices. The claims in a CWT are
> encoded in the Concise Binary Object Representation (CBOR) and CBOR
> Object Signing and Encryption (COSE) is used for added application layer
> security protection.  A claim is a piece of information asserted about a
> subject and is represented as a name/value pair consisting of a claim
> name and a claim value."
> / Erik
> [1]
> _______________________________________________
> COSE mailing list