IETF Logo Mail Archive

Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05

Anthony Nadalin <tonynad@microsoft.com> Sun, 30 December 2012 16:36 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8354521F8976 for <oauth@ietfa.amsl.com>; Sun, 30 Dec 2012 08:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.891
X-Spam-Level:
X-Spam-Status: No, score=0.891 tagged_above=-999 required=5 tests=[AWL=0.358, BAYES_00=-2.599, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJuEw0a1cqA0 for <oauth@ietfa.amsl.com>; Sun, 30 Dec 2012 08:36:00 -0800 (PST)
Received: from NA01-BY2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.26]) by ietfa.amsl.com (Postfix) with ESMTP id B0CF621F8973 for <oauth@ietf.org>; Sun, 30 Dec 2012 08:36:00 -0800 (PST)
Received: from BY2FFO11FD002.protection.gbl (10.1.15.200) by BY2FFO11HUB021.protection.gbl (10.1.14.108) with Microsoft SMTP Server (TLS) id 15.0.586.12; Sun, 30 Dec 2012 16:35:58 +0000
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD002.mail.protection.outlook.com (10.1.14.124) with Microsoft SMTP Server (TLS) id 15.0.586.12 via Frontend Transport; Sun, 30 Dec 2012 16:35:58 +0000
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.80) by mail.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.2.318.3; Sun, 30 Dec 2012 16:35:58 +0000
Received: from mail211-ch1-R.bigfish.com (10.43.68.252) by CH1EHSOBE012.bigfish.com (10.43.70.62) with Microsoft SMTP Server id 14.1.225.23; Sun, 30 Dec 2012 16:35:51 +0000
Received: from mail211-ch1 (localhost [127.0.0.1]) by mail211-ch1-R.bigfish.com (Postfix) with ESMTP id 0E8B7E03A7 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Sun, 30 Dec 2012 16:35:51 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -21
X-BigFish: PS-21(zzbb2dI98dI9371Ic89bhd6eah542I1432I1447Izz1de0h1202h1e76h1d1ah1d2ah1082kzz8275bh8275dh8275ch1033IL177df4h17326ahz31h2a8h668h839h93fhd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h9a9j1155h)
Received-SPF: softfail (mail211-ch1: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT002.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB042; LANG:en;
Received: from mail211-ch1 (localhost.localdomain [127.0.0.1]) by mail211-ch1 (MessageSwitch) id 1356885349274641_3628; Sun, 30 Dec 2012 16:35:49 +0000 (UTC)
Received: from CH1EHSMHS029.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241]) by mail211-ch1.bigfish.com (Postfix) with ESMTP id 2D6C83A0045; Sun, 30 Dec 2012 16:35:49 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS029.bigfish.com (10.43.70.29) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sun, 30 Dec 2012 16:35:44 +0000
Received: from BY2PR03MB042.namprd03.prod.outlook.com (10.255.241.146) by BL2PRD0310HT002.namprd03.prod.outlook.com (10.255.97.37) with Microsoft SMTP Server (TLS) id 14.16.245.2; Sun, 30 Dec 2012 16:35:43 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB042.namprd03.prod.outlook.com (10.255.241.146) with Microsoft SMTP Server (TLS) id 15.0.586.12; Sun, 30 Dec 2012 16:35:41 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.7.160]) with mapi id 15.00.0586.000; Sun, 30 Dec 2012 16:35:23 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: David Chadwick <d.w.chadwick@kent.ac.uk>
Thread-Topic: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
Thread-Index: Ac3lYXPokKfJ1TsWSvG7/OFVVl60vgAR1McAAB7o9hAAEIT0gAARRVBQ
Date: Sun, 30 Dec 2012 16:35:23 +0000
Message-ID: <586fa0a965614efb86d8f281609ea467@BY2PR03MB041.namprd03.prod.outlook.com>
References: <4E1F6AAD24975D4BA5B1680429673943669B0B1F@TK5EX14MBXC283.redmond.corp.microsoft.com> <50DEBAF4.6040700@kent.ac.uk> <517e9248dbf944d2a275b4850609f63c@BY2PR03MB041.namprd03.prod.outlook.com> <50DFF93F.5050906@kent.ac.uk>
In-Reply-To: <50DFF93F.5050906@kent.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.46.126.7]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT002.namprd03.prod.outlook.com
X-FOPE-CRA-Verdict: 157.56.240.21$kent.ac.uk%0%1%duplicatedomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com%False%False%0$
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%KENT.AC.UK$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC102.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(51704002)(51914002)(479174001)(24454001)(13464002)(5343635001)(56816002)(47976001)(5343655001)(44976002)(47736001)(50986001)(49866001)(76482001)(4396001)(6806001)(15202345001)(47776002)(74502001)(56776001)(47446002)(51856001)(74662001)(33646001)(23676001)(77982001)(46102001)(16676001)(59766001)(31966008)(53806001)(54356001)(15395725002)(50466001)(54316002)(5343645001)(550184003)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB021; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 071156160B
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Dec 2012 16:36:01 -0000

Nope, disagree as a claim is always in doubt thus it has no proof, the proof comes in the verification

-----Original Message-----
From: David Chadwick [mailto:d.w.chadwick@kent.ac.uk] 
Sent: Sunday, December 30, 2012 12:20 AM
To: Anthony Nadalin
Cc: Mike Jones; IETF oauth WG
Subject: Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05

On 30/12/2012 00:28, Anthony Nadalin wrote:
> By definition a claim is always in doubt thus it would not call it a 
> credential until it is verified

No this is not correct, since you can have valid and invalid credentials. You present your credentials to the RP, and the RP verifies them based on the proof they contain.

If you present a claim without any proof then it is not a credential and it cannot be verified (since it contains no proof) without the RP obtaining some proof information from elsewhere (such as showing it to the issuer and asking them if it is genuine or not).

So I would say that in Oauth you can present a claim or a credential.

regards

David

>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf 
> Of David Chadwick
> Sent: Saturday, December 29, 2012 1:42 AM
> To: Mike Jones
> Cc: IETF oauth WG
> Subject: Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
>
> If a claim provides proof then I would call it a credential not a 
> claim
>
> David
>
> On 29/12/2012 01:11, Mike Jones wrote:
>> I found the X.1252 definition.  It is:
>>
>> *6.18 claim *[b-OED]: To state as being the case, without being able 
>> to give proof.
>>
>> That seems both a bit vague, and actually incorrect, as the JWT may 
>> include proof of the veracity of the claim.  Please see the updated 
>> JWT draft for a hopefully more useful “Claim” definition.
>>
>>                                                               Best 
>> wishes,
>>
>>                                                               -- Mike
>>
>> *From:*Mike Jones
>> *Sent:* Sunday, December 23, 2012 1:03 PM
>> *To:* Jeff Hodges; Nat Sakimura
>> *Cc:* IETF oauth WG
>> *Subject:* RE: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
>>
>> What is the X.1252 definition?
>>
>> -- Mike
>>
>> *From:* Nat Sakimura
>> *Sent:* ‎December‎ ‎23‎, ‎2012 ‎10‎:‎09‎ ‎AM
>> *To:* =JeffH
>> *CC:* Mike Jones, IETF oauth WG
>> *Subject:* Re: [OAUTH-WG] review: draft-ietf-oauth-json-web-token-05
>>
>> Re definition of 'claim', as JWT is supposed to be generic, it may be 
>> better to go with the definition of X.1252 rather than OIDC.
>>
>> =nat via iPhone
>>
>> Dec 24, 2012 2:42、=JeffH <Jeff.Hodges@kingsmountain.com 
>> <mailto:Jeff.Hodges@kingsmountain.com>> のメッセージ:
>>
>>>
>>>> Thanks for the replies, Jeff.  They make sense.  Particularly, 
>>>> thanks for the "JSON Text Object" suggestion.
>>>
>>> welcome, glad they made some sense.
>>>
>>> similarly, if one employs JSON arrays, I'd define a "JSON text array".
>>>
>>>
>>>> For the "claims" definition, I'm actually prone to go with 
>>>> definitions based  on those in 
>>>> http://openid.net/specs/openid-connect-messages-1_0-13.html#termino
>>>> l
>>>> ogy-
>>>> specifically:
>>>>
>>>> Claim
>>>> A piece of information about an Entity that a Claims Provider 
>>>> asserts about that Entity.
>>>> Claims Provider
>>>> A system or service that can return Claims about an Entity.
>>>> End-User
>>>> A human user of a system or service.
>>>> Entity
>>>> Something that has a separate and distinct existence and that can 
>>>> be identified in context. An End-User is one example of an Entity.
>>>
>>> well, it seems to me, given the manner in which the JWT spec is 
>>> written, one can make the case that JWT claims in general aren't 
>>> necessarily about an Entity (as the latter term is used in the 
>>> context of the OpenID Connect specs), rather they're in general 
>>> simply assertions about something(s). this is because all 
>>> pre-defined
>> JWT claim types are optional and all JWT semantics are left up to 
>> specs that profile (aka re-use) the JWT spec.
>>>
>>> HTH,
>>>
>>> =JeffH
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org> 
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.31.3 | Report a Bug | By Email | System Status