Re: [OAUTH-WG] Next Steps for the JSON Web Token Document

Hannes Tschofenig <> Fri, 01 November 2013 20:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0422F21E80B7 for <>; Fri, 1 Nov 2013 13:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 97upLKqsNIdE for <>; Fri, 1 Nov 2013 13:13:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0B10221E80E1 for <>; Fri, 1 Nov 2013 13:13:04 -0700 (PDT)
Received: from masham-mac.home ([]) by (mrgmx002) with ESMTPSA (Nemesis) id 0MMBun-1VZKHi1wTt-00864E for <>; Fri, 01 Nov 2013 21:13:03 +0100
Message-ID: <>
Date: Fri, 01 Nov 2013 21:13:01 +0100
From: Hannes Tschofenig <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Brian Campbell <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:d/Mjr8IXkWaoSXy0IZ3iQ8n9cJ3TtYmNZ8fYF6zBgDasadK7li/ 4MktR9BJG+1KCuPGGPiSbPsxEA+A0Ne3PtjV9WVpX9yBupDjzYucOiL+0yhJ5jzbNhmRnO9 9FDzfkU672xlxu8qf+RAOSOLDTUoaq6K9zmrUumQorsGL6ZUWablenVC2rCfQpY//ybm/fl AMov25DKuedK22Bsb9AJQ==
Cc: "" <>
Subject: Re: [OAUTH-WG] Next Steps for the JSON Web Token Document
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Nov 2013 20:13:10 -0000

Thank you for your review, Brian.

Am 01.11.13 20:53, schrieb Brian Campbell:
> I just saw
> from
> Hannes noting reviews on draft-ietf-oauth-json-web-token and was
> surprised that mine wasn't included. So I went looking for it and
> apparently I didn't actually send it to the list. But I did find it and
> am including what I wrote and tried but failed to send back in
> September. Sorry about that.
> And here it s:
> Below are my review comments on the JSON Web Token Document that I (had
> forgotten until reminded by Hannes yesterday) committed to reviewing at
> the meeting in Berlin.
> Review of draft-ietf-oauth-json-web-token-11:
> * The sentence about the suggested pronunciation being 'jot' is in both
> the intro and the abstract. Seems like just once would be sufficient.
> * Should "Base64url Encoding" in the Terminology section also mention
> the omission/prohibition of line wrapping?
> * References to sections or appendices in other documents often don't
> have the correct href value.  For example, "Base64url Encoding" in the
> Terminology section has this problem for Section 3.2, which should point
> to RFC 4648 and Appendix C, which should go to JWS but both refer to the
> local document. There are many other instances of the same issue. I
> assume this is due to some tool in the xml2rfc or I-D upload process
> (and I know I have it in some of the drafts I author) but is this the
> kind of thing that the RFC editor will take care of?
> * I continue to struggle to understand how the type and content type
> Header parameters and the type claim can or will be used in a meaningful
> and reliable way.  I can't help but wonder if it couldn't be simplified.
> For example. what if we only had the cty header and defined a cty value
> for a JWT Claims Set - couldn't all the same things be conveyed?
> * There are a number of the reserved claims that say the use of the
> claim is OPTIONAL while also stating that the "JWT MUST be rejected" if
> some condition about the claim doesn't hold. There seems to be some
> potential ambiguity here regarding whether (in the absence of tighter
> context-dependent requirements, which is what generalized JWT libraries
> need to be built for) the optionality applies only to the producer or
> also to the consumer of a JWT. My guess is that the claims are optional
> to include for the producer but, if they are present, they must be
> validated by the consumer and the JWT must be rejected if whatever
> condition isn't satisfied. Do I have that right? Regardless, I think
> there is some ambiguity as currently written that should be clarified.
> Note that some of these comments relate to or even apply directly to JWS
> and JWE as well. Which I suppose underscores the point James made a
> while ago about progressing this document so far ahead of the JOSE drafts.
> On Tue, Sep 10, 2013 at 8:26 AM, Tschofenig, Hannes (NSN - FI/Espoo)
> < <>> wrote:
>     Hi again,
>     I also checked the minutes from IETF#87 regarding the JWT and here
>     are the action items:
>     ** I issued a WGLC, as discussed during the meeting:
>     ** We got some reviews from James, and Prateek. Thanks, guys!
>     Here are the reviews:
> (James)
>     (Prateek)
>       During the meeting a few others, namely Torsten, Karen, Paul
>     Hoffman, and Brian volunteered to provide their review comments.
>     Please send your review to the list.
>     ** I will have to do my shepherd write-up as well.
>     Ciao
>     Hannes
>     _______________________________________________
>     OAuth mailing list
> <>
> _______________________________________________
> OAuth mailing list