Re: [woes] [OAUTH-WG] JSON Web Token (JWT) Draft -04

[Mike Jones <Michael.Jones@microsoft.com>]

Thanks for the candid feedback, Bob.  I agree that the specs can be more clearly delineated and I'll make that an editorial goal in the next round of revisions.  In particular, I agree that a non-JWT example should be added to the JWS spec.

I intentionally kept complete JWT examples in the JWT spec, including examples of the actual signing computations, so that people can verify that their JWT implementations are compatible with these values.  But I'd be open to input on how complete these examples should be, versus those in the JWS spec (which describe all the signing steps in full detail, unlike the JWT draft).

                                                                -- Mike

From: Bob Gregory [mailto:pathogenix@gmail.com]
Sent: Tuesday, April 05, 2011 9:10 AM
To: Mike Jones
Cc: woes@ietf.org; oauth@ietf.org; openid-specs-ab@lists.openid.net; openid-specs@lists.openid.net
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Draft -04

Hi Mike,

I'm going to start implementing draft 4 in the near future. At a cursory reading, I'm concerned that splitting the specifications has not simplified the language, rather it has confused the specification, and introduced generalisation where there were formerly simple, specific cases.

If the long-term intent is that JWS and JWE should form composable operations for signing and encrypting content, while JWT specifies a payload format, then the specifications should be more clearly delineated. The current JWT draft makes repeated references to headers and signatures, and includes an appendix entry giving examples of signing. If JWS is the specification for signing, then the JWT draft should drop these sections.

JWT then becomes a teeny-weeny specification consisting of an overview, a table for reserved claim names, the rules for verifying those claims, and some notes on creating custom claims.

Likewise, if JWS is intended to be a general mechanism for signing messages, it would be preferable to see examples in the JWS spec which do not refer to the JWT spec. Simple strings, or base64 encoded binary would make better examples for JWS, without coupling the two specifications together.

As it stands, it's impossible to implement JWT without continual cross-reference. It's much harder to gain a sense of how an implementation ought to hang together than it used to be.

It's still possible for Jwt4net to be a compliant implementation of JWT without supporting a generalised JWS implementation, but checking compliance is going to be much harder. I think the next steps for the library, once I've fixed a couple of glaring holes, will be to refactor out a full JWS implementation, and treat JWT as a special case, but that adds accidental complexity to what was a relatively simple library (barring my own over-complication through stupidity).

I'm still a big fan of JWT as a standard, but I think the current spec language is a step backwards for implementation.

 -- Bob Gregory

On Wed, Mar 30, 2011 at 4:37 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Thanks, Bob.  That's great to hear!

I look forward to your feedback on the spec based upon your actual use.

                                                            -- Mike

From: Bob Gregory [mailto:pathogenix@gmail.com<mailto:pathogenix@gmail.com>]
Sent: Wednesday, March 30, 2011 8:36 AM
To: Mike Jones
Cc: woes@ietf.org<mailto:woes@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>; openid-specs-ab@lists.openid.net<mailto:openid-specs-ab@lists.openid.net>; openid-specs@lists.openid.net<mailto:openid-specs@lists.openid.net>

Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Draft -04

I've just uploaded a .Net implementation of JWT issuance and consumption to GitHub @ https://github.com/BobFromHuddle/Jwt4Net

This is no way ready for public release, but is in use in a production system. It's based on draft 1, and I'll try and update it to draft 4 compliance next week.

We're intending to provide full coverage of  the JWT spec as it matures, the major block for us at the moment is the lack of a specification for the "jku" key encoding scheme. Until that's decided, we're using .Net's default serialization of private keys which is based on RFC 4050.

 -- Bob Gregory

On Wed, Mar 30, 2011 at 9:57 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Draft -04 of the JSON Web Token (JWT)<http://self-issued.info/docs/draft-jones-json-web-token.html> specification is available.  It corrects a typo found by John Bradley in -03.

The draft is available at these locations:

*        http://www.ietf.org/internet-drafts/draft-jones-json-web-token-04.txt

*        http://www.ietf.org/internet-drafts/draft-jones-json-web-token-04.xml

*        http://self-issued.info/docs/draft-jones-json-web-token-04.html

*        http://self-issued.info/docs/draft-jones-json-web-token-04.txt

*        http://self-issued.info/docs/draft-jones-json-web-token-04.xml

*        http://self-issued.info/docs/draft-jones-json-web-token.html (will point to new versions as they are posted)

*        http://self-issued.info/docs/draft-jones-json-web-token.txt (will point to new versions as they are posted)

*        http://self-issued.info/docs/draft-jones-json-web-token.xml (will point to new versions as they are posted)

*        http://svn.openid.net/repos/specifications/json_web_token/1.0/ (Subversion repository, with html, txt, and html versions available)

                                                            -- Mike




--
An infinite number of mathematicians walk into a bar. The first one orders a beer. The second orders half a beer. The third, a quarter of a beer. The bartender says "You're all idiots", and pours two beers.



--
An infinite number of mathematicians walk into a bar. The first one orders a beer. The second orders half a beer. The third, a quarter of a beer. The bartender says "You're all idiots", and pours two beers.