Re: [OAUTH-WG] JSON Web Token (JWT) Draft -04

[Bob Gregory <pathogenix@gmail.com>]

Hi Mike,

I'm going to start implementing draft 4 in the near future. At a cursory
reading, I'm concerned that splitting the specifications has not simplified
the language, rather it has confused the specification, and introduced
generalisation where there were formerly simple, specific cases.

If the long-term intent is that JWS and JWE should form composable
operations for signing and encrypting content, while JWT specifies a payload
format, then the specifications should be more clearly delineated. The
current JWT draft makes repeated references to headers and signatures, and
includes an appendix entry giving examples of signing. If JWS is the
specification for signing, then the JWT draft should drop these sections.

JWT then becomes a teeny-weeny specification consisting of an overview, a
table for reserved claim names, the rules for verifying those claims, and
some notes on creating custom claims.

Likewise, if JWS is intended to be a general mechanism for signing messages,
it would be preferable to see examples in the JWS spec which do not refer to
the JWT spec. Simple strings, or base64 encoded binary would make better
examples for JWS, without coupling the two specifications together.

As it stands, it's impossible to implement JWT without continual
cross-reference. It's much harder to gain a sense of how an implementation
ought to hang together than it used to be.

It's still possible for Jwt4net to be a compliant implementation of JWT
without supporting a generalised JWS implementation, but checking compliance
is going to be much harder. I think the next steps for the library, once
I've fixed a couple of glaring holes, will be to refactor out a full JWS
implementation, and treat JWT as a special case, but that adds accidental
complexity to what was a relatively simple library (barring my own
over-complication through stupidity).

I'm still a big fan of JWT as a standard, but I think the current spec
language is a step backwards for implementation.

 -- Bob Gregory

On Wed, Mar 30, 2011 at 4:37 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  Thanks, Bob.  That’s great to hear!
>
>
>
> I look forward to your feedback on the spec based upon your actual use.
>
>
>
>                                                             -- Mike
>
>
>
> *From:* Bob Gregory [mailto:pathogenix@gmail.com]
> *Sent:* Wednesday, March 30, 2011 8:36 AM
> *To:* Mike Jones
> *Cc:* woes@ietf.org; oauth@ietf.org; openid-specs-ab@lists.openid.net;
> openid-specs@lists.openid.net
>
> *Subject:* Re: [OAUTH-WG] JSON Web Token (JWT) Draft -04
>
>
>
> I've just uploaded a .Net implementation of JWT issuance and consumption to
> GitHub @ https://github.com/BobFromHuddle/Jwt4Net
>
>
>
> This is no way ready for public release, but is in use in a production
> system. It's based on draft 1, and I'll try and update it to draft 4
> compliance next week.
>
>
>
> We're intending to provide full coverage of  the JWT spec as it matures,
> the major block for us at the moment is the lack of a specification for the
> "jku" key encoding scheme. Until that's decided, we're using .Net's default
> serialization of private keys which is based on RFC 4050.
>
>
>
>  -- Bob Gregory
>
>
>
> On Wed, Mar 30, 2011 at 9:57 AM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
> Draft -04 of the JSON Web Token (JWT)<http://self-issued.info/docs/draft-jones-json-web-token.html>specification is available.  It corrects a typo found by John Bradley in
> -03.
>
>
>
> The draft is available at these locations:
>
> ·
> http://www.ietf.org/internet-drafts/draft-jones-json-web-token-04.txt
>
> ·
> http://www.ietf.org/internet-drafts/draft-jones-json-web-token-04.xml
>
> ·        http://self-issued.info/docs/draft-jones-json-web-token-04.html
>
> ·        http://self-issued.info/docs/draft-jones-json-web-token-04.txt
>
> ·        http://self-issued.info/docs/draft-jones-json-web-token-04.xml
>
> ·        http://self-issued.info/docs/draft-jones-json-web-token.html(will point to new versions as they are posted)
>
> ·        http://self-issued.info/docs/draft-jones-json-web-token.txt (will
> point to new versions as they are posted)
>
> ·        http://self-issued.info/docs/draft-jones-json-web-token.xml (will
> point to new versions as they are posted)
>
> ·        http://svn.openid.net/repos/specifications/json_web_token/1.0/(Subversion repository, with html, txt, and html versions available)
>
>
>
>                                                             -- Mike
>
>
>
>
>
>
> --
> An infinite number of mathematicians walk into a bar. The first one orders
> a beer. The second orders half a beer. The third, a quarter of a beer. The
> bartender says "You're all idiots", and pours two beers.
>



-- 
An infinite number of mathematicians walk into a bar. The first one orders a
beer. The second orders half a beer. The third, a quarter of a beer. The
bartender says "You're all idiots", and pours two beers.