Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)

"Manger, James H" <> Thu, 08 August 2013 14:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D8E8C11E81D9 for <>; Thu, 8 Aug 2013 07:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[AWL=1.402, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nB5hYG7XlOo4 for <>; Thu, 8 Aug 2013 07:55:05 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 3D77311E8168 for <>; Thu, 8 Aug 2013 07:55:05 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.89,839,1367935200"; d="scan'208";a="151439843"
Received: from unknown (HELO ([]) by with ESMTP; 09 Aug 2013 00:54:59 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7160"; a="111269079"
Received: from ([]) by with ESMTP; 09 Aug 2013 00:54:59 +1000
Received: from ([]) by ([]) with mapi; Fri, 9 Aug 2013 00:54:59 +1000
From: "Manger, James H" <>
To: " WG" <>
Date: Fri, 9 Aug 2013 00:54:56 +1000
Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Thread-Index: Ac6TT0vhulQYMkb2Ta+CwLXXkxiM9wAeaQCA
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Aug 2013 14:55:11 -0000

Comments on draft-ietf-oauth-json-web-token-11:

1. Should JWT really go to WGLC before the JOSE docs that it depends on so heavily (JWS/JWE/...)? Even if the "bytes-on-the-wire" are fairly stable, JWT repeats a lot of text from JWS/JWE some of which is likely to change. Finishing WGLC now and queuing the doc to be auto-published when JWS/JWE are published would be bad (unless the duplicate text is removed).

2. The JWT doc would be so much more readable if it could refer to a "JOSE message", "JOSE header", and "JOSE compact serialization"; instead of having to explicitly talk about JWS and JWE every time even when talking about aspects common to both. It would also avoid introducing "JWT Header", "Encoded JWT Header", "Nested JWT", "Plaintext JWT" etc as though these are new items, when in fact they are just additional names for JOSE items. For instance, "JWT Header" is effectively shorthand for "JWS or JWE header" but it is presented as a JWT-specific thing.

3. The doc should not repeat definitions from JWS and JWE. For instance, the whole first paragraph of section 5 "JWT Header" (JSON object; describes crypto ops; unique names; reject duplicates or use last) is an almost identical copy of paragraphs from JWS and JWE. The duplication (often triplication) adds confusion (eg what is the difference between a JWT Header and JWS Header?) and gets subtly out of sync (eg "cty" either "declares structural information about the JWT" or "declares the type of the secured/encrypted content (the payload/Plaintext) in an application-specific manner"). 
Other examples of unnecessarily duplicated text include: section 7 steps 3 & 4 (creating) and steps 1-8 (validating); section 7.1 text about comparing "alg" values; parts of the last 2 paragraphs of section 3 "JWT overview"; 1st and 3rd paragraphs of section 5.2 "cty"; 1st, 2nd, and 4th sentence of section 5.1 "typ".

4. Hardly anyone pronounces JWT as "jot" -- it is usually spelt out -- so drop the sentence in the abstract suggesting the "jot" pronunciation.

5. Collision Resistant Namespace (section 2 "Terminology") mentions domain names, OIDs, and UUIDs as examples, but fails to mention URIs, which is a likely choice. Domain names will start colliding with "reserved" names soon with all the new top-level domains. Should UUIDs use a "urn:uuid:" prefix, or "uuid:", or no prefix? Should UUIDs only use lower-case hex digits (otherwise duplicate UUIDs will look like distinct JSON names)? Should an OID be "" or "oid:" or "URN:OID:" or "commonName" or "cn"? Collision resistant namespaces lose collision-resistance when you combine namespaces as is done here.

Could the reserved/public/private mess be simplified by saying (at the end of section 4 "JWT Claims"):

  A claim name can be any string. Using URIs as claim names is one
  way to ensure claim names are unambiguous. Claim names that are
  not URIs SHOULD be registered in the IANA Claims registry [section 9.1]

Then drop the last paragraph of section 4 "JWT claims" that starts "there are three classes of JT Claim Names"; drop section 4.2 "Public claim names"; drop section 4.3 "Private claim names"; drop the "collision resistant namespace" term.

6. The docs says including a "typ" field is OPTIONAL. Even when present "typ" can have any value since the two suggestions in the doc ("JWT" or "urn:ietf:params:oauth:token-type:jwt") are only RECOMMENDED. Given this, there doesn't seem to be anything a JWT recipient can usefully do with "typ". If it tries to use "typ" it will just be incompatible with compliant JWT senders that either omit "typ" or use another value. It would be better to drop section 5.1 "Type Header Parameter" entirely -- leaving any "typ" value definitions to profiles that actually define processing for such values.

7. The doc redefines the "cty" header parameter, which is already defined in JWS and JWE (slightly differently in all 3 cases - argh). JWT uses "cty" to indicate nested JOSE messages, which should be a JOSE feature as it is not specific to JWT (hence "cty":"jwt" is a poor choice).

8. [Editorial] "JWA signing algorithm" and "JWA encryption algorithms" are the wrong phrases. These are JWS signing algs and JWE encryption algs that happen to be specified in JWA.

9. Including a short description for each claim name in the registry would be useful. Just a 3-letter abbreviation is not helpful enough. Eg add a Claim description field:
  Claim name: "nbf"
  Claim description: not before
  Change controller: IETF
  Specification document: section 4.1.5. of [[ this doc ]]

James Manger

> ----------
> Sent: Wednesday, 7 August 2013 7:20 PM
> Subject: [OAUTH-WG] WGLC on JSON Web Token (JWT)
> Hi all,
> this is a working group last call for the JSON Web Token (JWT).
> Here is the document:
> Please send you comments to the OAuth mailing list by August 21, 2013.
> Ciao
> Hannes & Derek