Musings on Digital Identity

Month: March 2012

JSON Web Token (JWT) Specification Draft -08

IETF logoDraft 08 of the JSON Web Token (JWT) specification has been published. It uses the -01 versions of the JOSE specifications and also contains these changes:

  • Removed language that required that a JWT must have three parts. Now the number of parts is explicitly dependent upon the representation of the underlying JWS or JWE.
  • Moved the “alg”:”none” definition to the JWS spec.
  • Registered the application/jwt MIME Media Type.
  • Clarified that the order of the creation and validation steps is not significant in cases where there are no dependencies between the inputs and outputs of the steps.
  • Corrected the Magic Signatures and Simple Web Token (SWT) references.

This specification is available at:

An HTML formatted version is available at:

Draft -01 of JSON Crypto Specs: JWS, JWE, JWK, JWA, JWS-JS, JWE-JS

IETF logoNew versions of the IETF JSON Object Signing and Encryption (JOSE) specifications are now available that incorporate working group feedback since publication of the initial versions. They are:

  • JSON Web Signature (JWS) — Digital signature/HMAC specification
  • JSON Web Encryption (JWE) — Encryption specification
  • JSON Web Key (JWK) — Public key specification
  • JSON Web Algorithms (JWA) — Algorithms and identifiers specification

The most important changes are:

  • Added a separate integrity check for encryption algorithms without an integral integrity check.
  • Defined header parameters for including JWK public keys and X.509 certificate chains directly in the header.

See the Document History section in each specification for a more detailed list of changes.

Corresponding versions of the JSON Serialization specs, which use these JOSE drafts, are also available. Besides using JSON Serializations of the cryptographic results (rather than Compact Serializations using a series of base64url encoded values), these specifications also enable multiple digital signatures and/or HMACs to applied to the same message and enable the same plaintext to be encrypted to multiple recipients. They are:

  • JSON Web Signature JSON Serialization (JWS-JS)
  • JSON Web Encryption JSON Serialization (JWE-JS)

These specifications are available at:

HTML formatted versions are available at:

OAuth 2.0 Bearer Token Specification Draft -18

OAuth logoDraft 18 of the OAuth 2.0 Bearer Token Specification has been published. It contains the following changes:

  • Changed example bearer token value from vF9dft4qmT to mF_9.B5f-4.1JqM.
  • Added example access token response returning a Bearer token.

The draft is available at:

An HTML-formatted version is available at:

JSON Serializations for JWS and JWE

IETF logoParticipants in the JOSE working group have described use cases where a JSON top-level representation of digitally signed, HMAC’ed, or encrypted content is desirable. They have also described use cases where multiple digital signatures and/or HMACs need to applied to the same message and where the same plaintext needs to be encrypted to multiple recipients.

Responding to those use cases and working group input, I have created two new brief specifications:

  • JSON Web Signature JSON Serialization (JWS-JS)
  • JSON Web Encryption JSON Serialization (JWE-JS)

These use the same cryptographic operations as JWS and JWE, but serialize the results into a JSON objects, rather than a set of base64url encoded values separated by periods (as is done for JWS and JWE to produce compact, URL-safe representations).

These drafts are available at:

HTML-formatted versions are available at:

Feedback welcome!

Powered by WordPress & Theme by Anders Norén