Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

Erik Wahlström neXus <> Thu, 12 November 2015 20:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 91B441B339A; Thu, 12 Nov 2015 12:01:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.31
X-Spam-Status: No, score=-2.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qiIJZOOvm9Ct; Thu, 12 Nov 2015 12:01:42 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B19D71B33AC; Thu, 12 Nov 2015 12:01:27 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.995.29; Thu, 12 Nov 2015 21:01:25 +0100
Received: from ([fe80::1d3d:b319:f020:2bab]) by ([fe80::1d3d:b319:f020:2bab%12]) with mapi id 15.00.0995.032; Thu, 12 Nov 2015 21:01:25 +0100
From: Erik Wahlström neXus <>
To: Carsten Bormann <>
Thread-Topic: [COSE] A draft on CBOR Web Tokens (CWT)
Thread-Index: AQHRHX3EcFviJsoC2k6K5CeJemK0A56YuYEAgAAEkAA=
Date: Thu, 12 Nov 2015 20:01:24 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US, sv-SE
Content-Language: en-US
x-mailer: Apple Mail (2.2104)
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: Hannes Tschofenig <>, "" <>, "<>" <>, "" <>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2015 20:01:45 -0000

Hi Carsten,

Thanks, and I agree. I’ve heard arguments for all three work groups.

Borrowed some of your words to define the content of the draft :)
It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE needs, where OAuth needs COSE functionality, for object security.

I’m open for letting the AD’s move it around, but having it right next to JWT seems right to me. Also open for the ACE WG. Feel it has less place in COSE for the same reasons JWT is not in the JOSE WG.

/ Erik

> On 12 Nov 2015, at 20:45, Carsten Bormann <> wrote:
> Hi Erik,
> having this draft is a good thing.
> One thing I'm still wondering is what WG is the best place to progress
> this.  We probably don't need to spend too much time on this because,
> regardless of the WG chosen, the people in another WG can look at it.
> Still, getting this right might provide some efficiencies.
> What is the technical content of this draft?  Is it a new token that
> OAuth needs specifically for the new COSE-based applications of OAuth?
> Is it a new token that is specifically there for addressing ACE needs?
> Or is it essentially the same substance as JWT, but phrased in and
> profiled for CBOR?
> Depending on the answer, CWT should be done in OAuth, ACE, or COSE.
> (I'd rather hear the answer from the authors than venture a guess myself.)
> Grüße, Carsten
> Erik Wahlström neXus wrote:
>> Hi,
>> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined
>> in the draft "Authorization for the Internet of Things using OAuth 2.0”
>> [1]. We just broke out the CBOR Web Token into a separate draft and the
>> new draft is submitted to the OAUTH WG. It can be found here: 
>> Abstract: 
>> "CBOR Web Token (CWT) is a compact means of representing claims to be
>> transferred between two parties.  CWT is a profile of the JSON Web Token
>> (JWT) that is optimized for constrained devices. The claims in a CWT are
>> encoded in the Concise Binary Object Representation (CBOR) and CBOR
>> Object Signing and Encryption (COSE) is used for added application layer
>> security protection.  A claim is a piece of information asserted about a
>> subject and is represented as a name/value pair consisting of a claim
>> name and a claim value."
>> / Erik
>> [1]
>> _______________________________________________
>> COSE mailing list