Re: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19

Mike Jones <> Wed, 23 April 2014 16:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 61B281A0380 for <>; Wed, 23 Apr 2014 09:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tCOqkGnfr7gB for <>; Wed, 23 Apr 2014 09:32:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C77441A0348 for <>; Wed, 23 Apr 2014 09:32:53 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.921.12; Wed, 23 Apr 2014 16:32:47 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Wed, 23 Apr 2014 16:32:47 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Wed, 23 Apr 2014 16:32:46 +0000
Received: from ([]) by ([]) with mapi id 14.03.0181.007; Wed, 23 Apr 2014 16:32:10 +0000
From: Mike Jones <>
To: Hannes Tschofenig <>, "" <>
Thread-Topic: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19
Thread-Index: Ac9fEZKCDboZV7WmRDqDYDMAE4ic1Q==
Date: Wed, 23 Apr 2014 16:32:09 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A191D83TK5EX14MBXC288r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(377454003)(199002)(189002)(13464003)(20776003)(79102001)(80976001)(46102001)(15202345003)(2656002)(81342001)(77982001)(81542001)(84676001)(86362001)(66066001)(76482001)(33656001)(84326002)(16236675002)(80022001)(55846006)(54356999)(92726001)(97736001)(87936001)(19580395003)(512954002)(44976005)(74502001)(19580405001)(83322001)(99396002)(74662001)(19300405004)(4396001)(6806004)(92566001)(31966008)(50986999)(71186001)(2009001)(85852003)(83072002)(15975445006); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB437;; FPR:B4D2F635.AC32B4D8.71D3BF7B.42EFAA28.2027B; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 01901B3451
Received-SPF: Pass (: domain of designates as permitted sender) receiver=; client-ip=;;
Subject: Re: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 Apr 2014 16:32:56 -0000

Replies inline...

-----Original Message-----
From: OAuth [] On Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 4:49 AM
Subject: [OAUTH-WG] Minor questions regarding draft-ietf-oauth-json-web-token-19

Doing my shepherd write-up I had a few minor questions:

* Could you move the RFC 6755 reference to the normative reference section? Reason: the IANA consideration section depends on the existence of the urn:ietf:params:oauth registry.


* Could you move the JWK reference to the informative reference section?

Reason: The JWK is only used in an example and not essential to the implementation or understanding of the specification.


* Would it be sufficient to reference RFC 7159 instead of the [ECMAScript] reference?

No.  There's no equivalent to Section 15.12 of ECMAScript about the lexically last member name to reference in RFC 7159.  See the usage in the first paragraph of

* The document registers 'urn:ietf:params:oauth:token-type' and it is used in the "type" header parameter.

The text, however, states that the value can also be set to jwt. Why would someone prefer to use urn:ietf:params:oauth:token-type instead of the much shorter jwt value?

There are use cases, such as using JWTs as tokens in WS-Trust, where a URI is needed.



Thanks for doing this.

                                                            -- Mike