Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

Mike Jones <> Mon, 03 March 2014 22:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3F71B1A01CF for <>; Mon, 3 Mar 2014 14:22:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.601
X-Spam-Status: No, score=-4.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G3HHCMI87MHr for <>; Mon, 3 Mar 2014 14:22:37 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id F1C2F1A01EB for <>; Mon, 3 Mar 2014 14:22:36 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.888.9; Mon, 3 Mar 2014 22:22:31 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:31 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.888.9 via Frontend Transport; Mon, 3 Mar 2014 22:22:31 +0000
Received: from ([]) by ([]) with mapi id 14.03.0174.002; Mon, 3 Mar 2014 22:21:59 +0000
From: Mike Jones <>
To: "Manger, James H" <>, " WG" <>
Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/ZmLZ98AgUVpnFA=
Date: Mon, 3 Mar 2014 22:21:58 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A0A9521TK5EX14MBXC286r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: =?us-ascii?Q?CIP:; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(100?= =?us-ascii?Q?09001)(438001)(53754006)(377454003)(51704005)(51914003)(1990?= =?us-ascii?Q?02)(189002)(76796001)(16236675002)(81816001)(81686001)(69226?= =?us-ascii?Q?001)(49866001)(47736001)(81342001)(81542001)(50986001)(15202?= =?us-ascii?Q?345003)(19300405004)(33656001)(76482001)(95416001)(4396001)(?= =?us-ascii?Q?46102001)(76786001)(47976001)(74706001)(15975445006)(9272600?= =?us-ascii?Q?1)(66066001)(74502001)(71186001)(512954002)(92566001)(743660?= =?us-ascii?Q?01)(87266001)(86612001)(93136001)(85806002)(79102001)(319660?= =?us-ascii?Q?08)(74876001)(85306002)(56816005)(93516002)(47446002)(863620?= =?us-ascii?Q?01)(53806001)(95666003)(85852003)(59766001)(77096001)(518560?= =?us-ascii?Q?01)(65816001)(74662001)(80976001)(83322001)(54356001)(843260?= =?us-ascii?Q?02)(44976005)(94316002)(77982001)(90146001)(87936001)(800220?= =?us-ascii?Q?01)(54316002)(19580405001)(94946001)(2656002)(19580395003)(2?= =?us-ascii?Q?0776003)(6806004)(63696002)(55846006)(83072002); DIR:OUT; SFP:?= =?us-ascii?Q?1101; SCL:1; SRVR:BLUPR03MB017;; CLIP:131.1?= =?us-ascii?Q?07.125.37; FPR:ED3AFDE5.A8FAD3C9.3AF3F17B.82BAC2E2.207C5; MLV:?= =?us-ascii?Q?sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; ?=
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0139052FDB
Received-SPF: Pass (: domain of designates as permitted sender) receiver=; client-ip=;;
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Mar 2014 22:22:44 -0000

Thanks for taking the time to send in the comments, James.  I am sending you this to describe the changes that were made in response to your comments (mostly in -13 but also a few in -18).  See individual responses inline.

                                                            -- Mike

-----Original Message-----
From: [] On Behalf Of Manger, James H
Sent: Thursday, August 08, 2013 7:55 AM
To: WG
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

Comments on draft-ietf-oauth-json-web-token-11:

1. Should JWT really go to WGLC before the JOSE docs that it depends on so heavily (JWS/JWE/...)? Even if the "bytes-on-the-wire" are fairly stable, JWT repeats a lot of text from JWS/JWE some of which is likely to change. Finishing WGLC now and queuing the doc to be auto-published when JWS/JWE are published would be bad (unless the duplicate text is removed).

In practice, it seems that JWT has waited for JOSE (and I've kept them fully in sync).  At this point, I expect them proceed through the rest of the approval steps in parallel.

2. The JWT doc would be so much more readable if it could refer to a "JOSE message", "JOSE header", and "JOSE compact serialization"; instead of having to explicitly talk about JWS and JWE every time even when talking about aspects common to both. It would also avoid introducing "JWT Header", "Encoded JWT Header", "Nested JWT", "Plaintext JWT" etc as though these are new items, when in fact they are just additional names for JOSE items. For instance, "JWT Header" is effectively shorthand for "JWS or JWE header" but it is presented as a JWT-specific thing.

I think this really only shows up in a few places - primarily when discussing that the JWT Header is either a JWS Header or a JWE header.  Given that these are actually distinct but related data structures, making it evident that they are different is arguably a good thing.

3. The doc should not repeat definitions from JWS and JWE.

The duplication has been substantially reduced, both within the JOSE docs, and within this doc.  That being said, there's a stylistic tension between saying things in exactly one place and making each document easier to read without constantly having to flip back and forth between them.  In this case, I believe that the small amount of duplication aids developers who might not recursively read everything referenced in full detail.

For instance, the whole first paragraph of section 5 "JWT Header" (JSON object; describes crypto ops; unique names; reject duplicates or use last) is an almost identical copy of paragraphs from JWS and JWE. The duplication (often triplication) adds confusion (eg what is the difference between a JWT Header and JWS Header?) and gets subtly out of sync (eg "cty" either "declares structural information about the JWT" or "declares the type of the secured/encrypted content (the payload/Plaintext) in an application-specific manner").

The description of JWT's use of "cty" is not out of sync - it is intentionally more specific than the fully general, application-independent descriptions in JWS and JWE.  In this case, JWT is the application of JWS and JWE, and needs to specify its requirements about how it uses this header parameter.

Other examples of unnecessarily duplicated text include: section 7 steps 3 & 4 (creating) and steps 1-8 (validating); section 7.1 text about comparing "alg" values; parts of the last 2 paragraphs of section 3 "JWT overview"; 1st and 3rd paragraphs of section 5.2 "cty"; 1st, 2nd, and 4th sentence of section 5.1 "typ".

Step 4 of creation was removed because it truly was a duplicate.  (3 is more specific than the corresponding JWS and JWE steps, and so was not removed.)

The validating steps are necessary because JWT adds two things beyond JWS and JWE:  First, the contents can be either a JWS or JWE, and so there's logic described for the slightly different actions taken in the two cases.  Second, the JWT can be nested, so the logic for nesting and detecting nested JWTs is defined.  It *does* just rely on JWS and JWE for the creation and verification aspects of the JWS and JWE aspects of JWTs.

Both "typ" and "cty" were reworked when their values where changed to MIME types, reducing duplication.

4. Hardly anyone pronounces JWT as "jot" -- it is usually spelt out -- so drop the sentence in the abstract suggesting the "jot" pronunciation.

Your experience may vary, but in in-person conversations, it's usually pronounced "jot" in my experience.  (It's a lot easier to say than "J W T" or "JSON Web Token" and people tend to like short names to say.)

5. Collision Resistant Namespace (section 2 "Terminology") mentions domain names, OIDs, and UUIDs as examples, but fails to mention URIs, which is a likely choice. Domain names will start colliding with "reserved" names soon with all the new top-level domains. Should UUIDs use a "urn:uuid:" prefix, or "uuid:", or no prefix? Should UUIDs only use lower-case hex digits (otherwise duplicate UUIDs will look like distinct JSON names)? Should an OID be "" or "oid:" or "URN:OID:" or "commonName" or "cn"? Collision resistant namespaces lose collision-resistance when you combine namespaces as is done here.

As you suggested, domain names are now the first example mentioned.  This was also rewritten with input from Jim Schaad.

Could the reserved/public/private mess be simplified by saying (at the end of section 4 "JWT Claims"):

  A claim name can be any string. Using URIs as claim names is one

  way to ensure claim names are unambiguous. Claim names that are

  not URIs SHOULD be registered in the IANA Claims registry [section 9.1]

Then drop the last paragraph of section 4 "JWT claims" that starts "there are three classes of JT Claim Names"; drop section 4.2 "Public claim names"; drop section 4.3 "Private claim names"; drop the "collision resistant namespace" term.

Calling out that there are three distinct classes of names has been valuable in helping developers think about how to use claim names, in practice.  In particular, it lets us describe the benefits and drawbacks of each, helping developers and deployers make reasonable choices for their application contexts.

At Jim Schaad's suggestion, "public" was changed to "registered" and the description changed to talk about this class of names being in the IANA registry.

6. The docs says including a "typ" field is OPTIONAL. Even when present "typ" can have any value since the two suggestions in the doc ("JWT" or "urn:ietf:params:oauth:token-type:jwt") are only RECOMMENDED. Given this, there doesn't seem to be anything a JWT recipient can usefully do with "typ". If it tries to use "typ" it will just be incompatible with compliant JWT senders that either omit "typ" or use another value. It would be better to drop section 5.1 "Type Header Parameter" entirely -- leaving any "typ" value definitions to profiles that actually define processing for such values.

The description has been reworked to mostly just refer to the JWS and JWE definitions.  The URN usage was removed when "typ" and "cty" values were made MIME type values.

7. The doc redefines the "cty" header parameter, which is already defined in JWS and JWE (slightly differently in all 3 cases - argh). JWT uses "cty" to indicate nested JOSE messages, which should be a JOSE feature as it is not specific to JWT (hence "cty":"jwt" is a poor choice).

The description has been reworked to mostly just refer to the JWS and JWE definitions.  "cty" is not redefined; it's use by JWT is specified.

8. [Editorial] "JWA signing algorithm" and "JWA encryption algorithms" are the wrong phrases. These are JWS signing algs and JWE encryption algs that happen to be specified in JWA.

The phrases "JWA signing algorithms" and "JWA encryption algorithms" were removed.

9. Including a short description for each claim name in the registry would be useful. Just a 3-letter abbreviation is not helpful enough. Eg add a Claim description field:

  Claim name: "nbf"

  Claim description: not before

  Change controller: IETF

  Specification document: section 4.1.5. of [[ this doc ]]

This was done - both here and in the JOSE documents.  Thanks for the useful suggestion.


James Manger

> ----------

> Sent: Wednesday, 7 August 2013 7:20 PM

> Subject: [OAUTH-WG] WGLC on JSON Web Token (JWT)


> Hi all,


> this is a working group last call for the JSON Web Token (JWT).


> Here is the document:



> Please send you comments to the OAuth mailing list by August 21, 2013.


> Ciao

> Hannes & Derek


OAuth mailing list<>