Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

Prateek Mishra <> Wed, 21 August 2013 23:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4147311E8129 for <>; Wed, 21 Aug 2013 16:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qLIzX1BnBUNY for <>; Wed, 21 Aug 2013 16:51:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9F39311E8143 for <>; Wed, 21 Aug 2013 16:51:13 -0700 (PDT)
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7LNp7M2025977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 23:51:08 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id r7LNp6Gj028982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 23:51:07 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id r7LNp65n015597; Wed, 21 Aug 2013 23:51:06 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 16:51:06 -0700
Message-ID: <>
Date: Wed, 21 Aug 2013 19:51:05 -0400
From: Prateek Mishra <>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Hannes Tschofenig <>
References: <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------070803070105030009000709"
X-Source-IP: []
Cc: " WG" <>
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Aug 2013 23:51:19 -0000

1) As a JWT is always an instance of JWE or JWS, I am not sure why there 
is a need for the the materials found in Section 5, para 1 (these are 
also found in the JWE and JWS draft specifications). It could simply be 
removed from the draft.

2) Why do we need both a "typ" claim and a "typ" header name? Need they 
have some relationship to each other?
Isn't this also covered by Section 5.3?

3)  The materials in Section 5.3 could be simplified further.

Why should the use of claims as header parameters be restricted to the 
case where the JWT=JWE; what about the encrypt then sign (symmetric) 
use-case? I see no issue in allowing this feature with a JWT of any type.

The last paragraph of Section 5.3 ("This specification reserves the iss 
(issuer), sub (subject),....") seems to be an instance of the
previous paragraph. If claims are allowed in the header, then iss 
(issuer), sub (subject) are trivially allowed, right? I couldn't find 
any additional information in this last paragraph.

Finally, do we need "SHOULD verify that their values are identical" - 
given that this matter is left upto applications, couldnt they choose to 
verify only a certain relationship between the corresponding values 
(e.g., header carries hash of value, JWT carries the (large) complete 
value)?  Can this be weakened to "SHOULD verify that their values have 
an appropriate (application-defined) relationship. In many instances, 
applications may want to ensure that they are identical".

4) Section 8 -

am I correct in reading this as: all conforming JWT implementations MUST 
implement JWS and MAY implement JWE?
At least thats what I understood from the last paragraph ("/if/ an 
implementation provides encryption capabilities...").

- prateek
> Hi all,
> this is a working group last call for the JSON Web Token (JWT).
> Here is the document:
> Please send you comments to the OAuth mailing list by August 21, 2013.
> Ciao
> Hannes & Derek
> _______________________________________________
> OAuth mailing list