Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer
John Bradley <ve7jtb@ve7jtb.com> Thu, 24 November 2011 02:11 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 310D021F87E2 for <oauth@ietfa.amsl.com>; Wed, 23 Nov 2011 18:11:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.808
X-Spam-Level:
X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[AWL=-0.606, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QwmEHmgWFsGl for <oauth@ietfa.amsl.com>; Wed, 23 Nov 2011 18:11:49 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4F39A21F8783 for <oauth@ietf.org>; Wed, 23 Nov 2011 18:11:49 -0800 (PST)
Received: by yenm7 with SMTP id m7so2446022yen.31 for <oauth@ietf.org>; Wed, 23 Nov 2011 18:11:44 -0800 (PST)
Received: by 10.236.46.193 with SMTP id r41mr21624485yhb.44.1322100703018; Wed, 23 Nov 2011 18:11:43 -0800 (PST)
Received: from [192.168.1.202] ([190.22.122.75]) by mx.google.com with ESMTPS id l19sm53798309anc.14.2011.11.23.18.11.40 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 23 Nov 2011 18:11:42 -0800 (PST)
References: <FF3DAF17-D2AF-4E02-AC4B-CDBCA1FE73FE@ve7jtb.com> <4E1F6AAD24975D4BA5B16804296739435F74F94C@TK5EX14MBXC283.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739435F74F95E@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739435F74F95E@TK5EX14MBXC283.redmond.corp.microsoft.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-2238E96B-147A-4844-8895-4606CDAF6EDE"
Message-Id: <D415CBDB-F94E-440E-ADC2-DA87F6BF4789@ve7jtb.com>
X-Mailer: iPad Mail (9A405)
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Wed, 23 Nov 2011 23:11:35 -0300
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2011 02:11:50 -0000
With only three characters combinations are at a premium. People can all ways use longer names. The ones that are going to be in most tokens are the important ones to keep short and memorable. tid seems clearer than jti, but that is just me. I will go with whatever is decided. John B Sent from my iPad On 2011-11-23, at 10:27 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Thinking about it a bit more, since others may want to use “tid” for claims with meanings like Transaction ID ( or other words beginning with “t”), maybe the claim name should be “jti” (JSON web Token ID) to reduce chance of name collisions? > > -- Mike > > From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones > Sent: Wednesday, November 23, 2011 5:21 PM > To: John Bradley; oauth WG > Subject: Re: [OAUTH-WG] Message ID for draft-jones-oauth-jwt-bearer > > Thanks John. This makes sense to me. > > Feedback from others? > > -- Mike > > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Wednesday, November 23, 2011 5:02 PM > To: oauth WG > Cc: Mike Jones > Subject: Message ID for draft-jones-oauth-jwt-bearer > > The draft-jones-oauth-jwt-bearer profile is lacking a message ID that exists in the SAML version. > > This is important for the receiver to detect replay attacks. > > For Connect I made up a claim to use: > > tid The tid (token id) claim, A nonce or unique identifier for the assertion. The Assertion ID may be used by implementations requiring message de- duplication for one-time use assertions. > > I was tempted to use mid (Message ID) however it is the id of the token not the message. > > If you add something I will change the claim to be consistent. > > I think it needs to be in your spec. > > Regards > John B.
- [OAUTH-WG] Message ID for draft-jones-oauth-jwt-b… John Bradley
- Re: [OAUTH-WG] Message ID for draft-jones-oauth-j… Mike Jones
- Re: [OAUTH-WG] Message ID for draft-jones-oauth-j… Mike Jones
- Re: [OAUTH-WG] Message ID for draft-jones-oauth-j… John Bradley