The JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the review comments from Security Area Director (AD) Eric Rescorla. Thanks to Eric for the review and to Yaron Sheffer for working on the responses with me.
Note that IETF publication has already been requested. The next step is for the shepherd review to be submitted and responded to.
The specification is available at:
An HTML-formatted version is also available at:
The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to addresses a few additional Working Group Last Call (WGLC) comments. All of the (few) changes were about improving the clarity of the exposition. I believe that this completes addressing the WGLC comments.
Thanks to Roman Danyliw for helping to categorize the remaining comments that needed to be addressed.
The specification is available at:
An HTML-formatted version is also available at:
The Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:
This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.
SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Events working group for making this standard a reality!
A new draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published that addresses the Working Group Last Call (WGLC) comments received. Changes were:
Thanks to Samuel Erdtman and Hannes Tschofenig for contributing to the editing for this version and to Jim Schaad and Roman Danyliw for their review comments.
The specification is available at:
An HTML-formatted version is also available at:
The OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:
This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.
The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.
Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.
Thanks to all of you who helped make this standard a reality!
We’ve updated the Security Event Token (SET) specification to address feedback received from Internet Engineering Steering Group (IESG) members. We’ve actually published three versions in quick succession in preparation for tomorrow’s evaluation by the IESG.
Draft -11 incorporated feedback from Security Area Director Eric Rescorla and IANA Designated Expert Ned Freed. Changes were:
Draft -12 incorporated feedback from Adam Roach, Alexey Melnikov, and Alissa Cooper. Changes were:
Draft -13 incorporated feedback from Martin Vigoureaux. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the Working Group Last Call (WGLC) feedback received. Thanks to Neil Madden for his numerous comments and to Carsten Bormann and Brian Campbell for their reviews.
Assuming the chairs concur, the next step should be to request publication.
The specification is available at:
An HTML-formatted version is also available at:
The “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:
CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.
Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.
Next up — finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)“, which provides the CWT equivalent of “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” [RFC 7800].
An updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.
After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id“. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.
The specification is available at:
An HTML-formatted version is also available at:
The Security Event Token (SET) specification has been updated to address Area Director review comments from Benjamin Kaduk. Thanks for the thorough and useful review, as always, Ben.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to add guidance on how to explicitly type Nested JWTs. Thanks to Brian Campbell for suggesting the addition.
The specification is available at:
An HTML-formatted version is also available at:
One more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was:
Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!
The specification is available at:
An HTML-formatted version is also available at:
The CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were:
Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!
The specification is available at:
An HTML-formatted version is also available at:
The CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to address additional IESG feedback. The only change was to clarify the meaning of “case-insensitive”, as suggested by Alexey Melnikov.
The specification is available at:
An HTML-formatted version is also available at:
A few local improvements have been made to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Changes were:
Thanks to Samuel Erdtman for sharing the editing.
The specification is available at:
An HTML-formatted version is also available at:
A new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:
iat” description, as suggested by Annabelle Backman.The specification is available at:
An HTML-formatted version is also available at:
The OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:
The specification is available at:
An HTML-formatted version is also available at:
Powered by WordPress & Theme by Anders Norén