Mike Jones: self-issued

Musings on Digital Identity

Month: February 2018

Security Event Token (SET) spec addressing 2nd WGLC and shepherd comments

By

On February 28, 2018

In Claims, IETF, JSON, OAuth, Specifications

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:

  • Changed “when the event was issued” to “when the SET was issued” in the “iat” description, as suggested by Annabelle Backman.
  • Applied editorial improvements that improve the consistency of the specification that were suggested by Annabelle Backman, Marius Scurtescu, and Yaron Sheffer.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Authorization Server Metadata spec addressing IESG feedback

By

On February 27, 2018

In Claims, IETF, JSON, OAuth, Specifications

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:

  • Revised the transformation between the issuer identifier and the authorization server metadata location to conform to BCP 190, as suggested by Adam Roach.
  • Defined the characters allowed in registered metadata names and values, as suggested by Alexey Melnikov.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate, as suggested by Ben Campbell.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) draft addressing shepherd review comments

By

On February 2, 2018

In CBOR, Claims, IETF, Specifications

IETF logoThe CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:

  • Updated the RFC 5226 reference to RFC 8126.
  • Made the IANA registration criteria consistent across sections.
  • Stated that registrations for the limited set of values between -256 and 255 and strings of length 1 are to be restricted to claims with general applicability.
  • Changed the “Reference” field name to “Description of Semantics” in the CBOR Tag registration request.
  • Asked the RFC Editor whether it is possible to preserve the non-ASCII spellings of the names Erik Wahlström and Göran Selander in the final specification.

Thanks to Ben for his careful review of the specification!

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec simplifying claims usage

By

On February 2, 2018

In Claims, IETF, JSON, OpenID, Specifications

IETF logoThe Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:

  • Simplified the definitions of the “iat” and “toe” claims in ways suggested by Annabelle Backman.
  • Added privacy considerations text suggested by Annabelle Backman.
  • Updated the RISC event example, courtesy of Marius Scurtescu.
  • Reordered the claim definitions to place the required claims first.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.

The specification is available at:

An HTML-formatted version is also available at:

Powered by WordPress & Theme by Anders Norén