Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
Mike Jones <Michael.Jones@microsoft.com> Sun, 30 December 2012 08:07 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29C721F88E2 for <oauth@ietfa.amsl.com>; Sun, 30 Dec 2012 00:07:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7GqZMl11aQH for <oauth@ietfa.amsl.com>; Sun, 30 Dec 2012 00:07:27 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.32]) by ietfa.amsl.com (Postfix) with ESMTP id 3026721F88E0 for <oauth@ietf.org>; Sun, 30 Dec 2012 00:07:27 -0800 (PST)
Received: from BY2FFO11FD010.protection.gbl (10.1.15.202) by BY2FFO11HUB017.protection.gbl (10.1.14.91) with Microsoft SMTP Server (TLS) id 15.0.586.12; Sun, 30 Dec 2012 08:07:24 +0000
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD010.mail.protection.outlook.com (10.1.14.74) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Sun, 30 Dec 2012 08:07:25 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.24]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.02.0318.003; Sun, 30 Dec 2012 08:07:24 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Anthony Nadalin <tonynad@microsoft.com>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
Thread-Index: Ac3lYXPoELEFPMRSTq+X4Nh79LI8wgAR1McAAB7zZYAAB4U7gAADM92AAAVDVuA=
Date: Sun, 30 Dec 2012 08:07:22 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943669E083F@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943669B0B1F@TK5EX14MBXC283.redmond.corp.microsoft.com> <50DEBAF4.6040700@kent.ac.uk> <517e9248dbf944d2a275b4850609f63c@BY2PR03MB041.namprd03.prod.outlook.com> <CABzCy2BHqeiQrkrsMSCDBqa4Nf7Nno1XbbnsKho_xSt6FTm78A@mail.gmail.com> <ca5dd691f5dd40dab01ab97fa79d8951@BY2PR03MB041.namprd03.prod.outlook.com>
In-Reply-To: <ca5dd691f5dd40dab01ab97fa79d8951@BY2PR03MB041.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943669E083FTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(51704002)(377454001)(13464002)(479174001)(51914002)(24454001)(77982001)(74662001)(74502001)(56816002)(59766001)(15395725002)(47976001)(51856001)(47736001)(15202345001)(46102001)(16236675001)(55846006)(512874001)(54316002)(31966008)(4396001)(16406001)(5343655001)(47446002)(44976002)(5343635001)(54356001)(550184003)(56776001)(76482001)(5343645001)(49866001)(33656001)(50986001)(53806001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB017; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 071156160B
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Dec 2012 08:07:28 -0000
I sure hope we don’t plan/need to go into that level of technical detail in the JWT spec. It’s intended to be readable and accessible to developers – not a treatise on the meanings of words. ☺
-- Mike
From: Anthony Nadalin
Sent: Saturday, December 29, 2012 9:35 PM
To: Nat Sakimura
Cc: David Chadwick; Mike Jones; IETF oauth WG
Subject: RE: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
1252 s it has a section that explains the usage
A.2 Claim/assertion
The meaning of the terms claim and assertion are generally agreed to be somewhat similar but with slightly different meanings. In some cases, an assertion is considered to be a "stronger" statement than a claim. For example, the Oxford English Dictionary defines claim as:
a) to state as being the case, without being able to give proof;
b) a statement that something is the case,
and assertion as: a confident and forceful statement. However, in a digital context, the terms "confident" and "forceful" are not really meaningful.
In open networks, there will be a more complex and ambivalent relationship between the party making a statement (i.e., presenting identity information) and the party that relies on it. Therefore, any statement is assumed to be in doubt and, as such, is subject to verification or request for further evidence. Neither claims nor assertions can be assumed to be made with any authority whatever. It will always be up to the relying party to decide whether or not to accept the claim or assertion based on verification by the relying party (or by a verifier acting at the request of the relying party).
From: Nat Sakimura [mailto:sakimura@gmail.com]
Sent: Saturday, December 29, 2012 8:04 PM
To: Anthony Nadalin
Cc: David Chadwick; Mike Jones; IETF oauth WG
Subject: Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
Tony,
So do you agree with the following definition in -06? Or prefer X.1252 definition?
Claim A piece of information asserted about a subject. Here, Claims
are represented name/value pairs, consisting of a Claim Name and a
Claim Value.
Mike:
Regarding the ordering of the terms in terminology, you should either use the dependency chain or alphabetic order. (Former is more desirable in my point of view.) However, as it stands, it is none of those. For example, the term "claim" appears in the definition of JWT, which is the first term in the terminology, without having been defined. If you do not mind, I will reorder them and send it to you.
Nat
On Sun, Dec 30, 2012 at 9:28 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:
By definition a claim is always in doubt thus it would not call it a credential until it is verified
-----Original Message-----
From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of David Chadwick
Sent: Saturday, December 29, 2012 1:42 AM
To: Mike Jones
Cc: IETF oauth WG
Subject: Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
If a claim provides proof then I would call it a credential not a claim
David
On 29/12/2012 01:11, Mike Jones wrote:
> I found the X.1252 definition. It is:
>
> *6.18 claim *[b-OED]: To state as being the case, without being able
> to give proof.
>
> That seems both a bit vague, and actually incorrect, as the JWT may
> include proof of the veracity of the claim. Please see the updated
> JWT draft for a hopefully more useful “Claim” definition.
>
> Best
> wishes,
>
> -- Mike
>
> *From:*Mike Jones
> *Sent:* Sunday, December 23, 2012 1:03 PM
> *To:* Jeff Hodges; Nat Sakimura
> *Cc:* IETF oauth WG
> *Subject:* RE: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
>
> What is the X.1252 definition?
>
> -- Mike
>
> *From:* Nat Sakimura
> *Sent:* December 23, 2012 10:09 AM
> *To:* =JeffH
> *CC:* Mike Jones, IETF oauth WG
> *Subject:* Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
>
> Re definition of 'claim', as JWT is supposed to be generic, it may be
> better to go with the definition of X.1252 rather than OIDC.
>
> =nat via iPhone
>
> Dec 24, 2012 2:42、=JeffH <Jeff.Hodges@kingsmountain.com<mailto:Jeff.Hodges@kingsmountain.com>
> <mailto:Jeff.Hodges@kingsmountain.com<mailto:Jeff.Hodges@kingsmountain.com>>> のメッセージ:
>
>>
>> > Thanks for the replies, Jeff. They make sense. Particularly,
>> > thanks for the "JSON Text Object" suggestion.
>>
>> welcome, glad they made some sense.
>>
>> similarly, if one employs JSON arrays, I'd define a "JSON text array".
>>
>>
>> > For the "claims" definition, I'm actually prone to go with
>> >definitions based on those in
>> >http://openid.net/specs/openid-connect-messages-1_0-13.html#terminol
>> >ogy-
>> > specifically:
>> >
>> > Claim
>> > A piece of information about an Entity that a Claims Provider
>> > asserts about that Entity.
>> > Claims Provider
>> > A system or service that can return Claims about an Entity.
>> > End-User
>> > A human user of a system or service.
>> > Entity
>> > Something that has a separate and distinct existence and that can
>> > be identified in context. An End-User is one example of an Entity.
>>
>> well, it seems to me, given the manner in which the JWT spec is
>> written, one can make the case that JWT claims in general aren't
>> necessarily about an Entity (as the latter term is used in the
>> context of the OpenID Connect specs), rather they're in general
>> simply assertions about something(s). this is because all pre-defined
> JWT claim types are optional and all JWT semantics are left up to
> specs that profile (aka re-use) the JWT spec.
>>
>> HTH,
>>
>> =JeffH
>>
>> _______________________________________________
>> OAuth mailing list
>>OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org<mailto:OAuth@ietf.org>>
>>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… =JeffH
- [OAUTH-WG] review: draft-ietf-oauth-json-web-toke… =JeffH
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… John Bradley
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… =JeffH
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Nat Sakimura
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Nat Sakimura
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Dick Hardt
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… David Chadwick
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Antonio Sanso
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… John Bradley
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Antonio Sanso
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Nat Sakimura
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Anthony Nadalin
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Nat Sakimura
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Anthony Nadalin
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Mike Jones
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… David Chadwick
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Antonio Sanso
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Anthony Nadalin
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… Anthony Nadalin
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… David Chadwick
- Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-… John Bradley