Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

Mike Jones <> Mon, 03 March 2014 22:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B63E61A01CF for <>; Mon, 3 Mar 2014 14:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vmPotQXzIsUy for <>; Mon, 3 Mar 2014 14:22:49 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4FAFC1A020C for <>; Mon, 3 Mar 2014 14:22:49 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:22:44 +0000
Received: from (2a01:111:f400:7c10::124) by (2a01:111:e400:2c5d::37) with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:44 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:44 +0000
Received: from ([]) by ([]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:22:12 +0000
From: Mike Jones <>
To: Prateek Mishra <>
Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/Zmga/qAgTBtKXA=
Date: Mon, 3 Mar 2014 22:22:11 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A9528TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(53754006)(377454003)(57704003)(74366001)(74876001)(93516002)(19300405004)(63696002)(81816001)(46102001)(69226001)(80976001)(74662001)(86612001)(81342001)(77982001)(92566001)(74706001)(95416001)(84326002)(512954002)(71186001)(90146001)(85806002)(31966008)(77096001)(76482001)(56816005)(51856001)(20776003)(15202345003)(85852003)(59766001)(53806001)(81686001)(80022001)(83072002)(95666003)(92726001)(4396001)(94316002)(86362001)(44976005)(19580405001)(87266001)(83322001)(6806004)(16236675002)(79102001)(50986001)(2656002)(55846006)(87936001)(94946001)(66066001)(76786001)(47446002)(76796001)(54316002)(81542001)(54356001)(74502001)(47736001)(93136001)(15975445006)(85306002)(47976001)(33656001)(49866001)(65816001)(19580395003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB596;; CLIP:; FPR:EC38F585.ACF29581.7BD1BD48.49AAD1E3.20498; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0139052FDB
Received-SPF: Pass (: domain of designates as permitted sender) receiver=; client-ip=;;
Cc: " WG" <>
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Mar 2014 22:22:58 -0000

Hi Prateek,

Thanks for taking the time to send in these comments.  I am sending you this to describe the changes that were made in response to your comments (mostly in -13 but also a few in -18).  See individual responses inline.

                                                            -- Mike

From: [] On Behalf Of Prateek Mishra
Sent: Wednesday, August 21, 2013 4:51 PM
To: Hannes Tschofenig
Cc: WG
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

1) As a JWT is always an instance of JWE or JWS, I am not sure why there is a need for the the materials found in Section 5, para 1 (these are also found in the JWE and JWS draft specifications). It could simply be removed from the draft.

There's a stylistic tension between saying things in exactly one place and making each document easier to read without constantly having to flip back and forth between them.  In this case, I believe that the small amount of duplication aids developers who might not recursively read everything referenced in full detail.

2) Why do we need both a "typ" claim and a "typ" header name? Need they have some relationship to each other?
Isn't this also covered by Section 5.3?

The "typ" claim was removed as part of the JOSE change to use MIME type names for "typ" and "cty" header parameter values.

3)  The materials in Section 5.3 could be simplified further.

Why should the use of claims as header parameters be restricted to the case where the JWT=JWE; what about the encrypt then sign (symmetric) use-case? I see no issue in allowing this feature with a JWT of any type.

As written, the specs actually already allow the header to be extended with any parameters, as needed by applications.  Replicating encrypted claims as unencrypted header parameter values is only one such permitted usage.

The last paragraph of Section 5.3 ("This specification reserves the iss (issuer), sub (subject),....") seems to be an instance of the
previous paragraph. If claims are allowed in the header, then iss (issuer), sub (subject) are trivially allowed, right? I couldn't find any additional information in this last paragraph.

This text is referring to the fact that these three claims are registered in the IANA JSON Web Signature and Encryption Header Parameters registry for use as header parameters.  I clarified this by adding a section number reference.

Finally, do we need "SHOULD verify that their values are identical" - given that this matter is left upto applications, couldnt they choose to verify only a certain relationship between the corresponding values (e.g., header carries hash of value, JWT carries the (large) complete value)?  Can this be weakened to "SHOULD verify that their values have an appropriate (application-defined) relationship. In many instances, applications may want to ensure that they are identical".

Agreed.  I added a qualifying clause saying that "the application receiving them SHOULD verify that their values are identical, unless the application defines other specific processing rules for these Claims".

4) Section 8 -

am I correct in reading this as: all conforming JWT implementations MUST implement JWS and MAY implement JWE?
At least thats what I understood from the last paragraph ("if an implementation provides encryption capabilities...").


- prateek

Hi all,

this is a working group last call for the JSON Web Token (JWT).

Here is the document:

Please send you comments to the OAuth mailing list by August 21, 2013.

Hannes & Derek
OAuth mailing list<>