On 25/10/2018 07:33, Carsten Bormann wrote:
+1 for making all the CWT-like structures into real CWTs.
A discussion of what we consider to be CWT-like structures and what not
would be helpful as a follow-up here.
If draft-ietf-oauth-jwsreq is any indication the OAuth WG seems to
consider that all requests to the AS can be passed as JWTs.
I'm unsure what their position on the AS responses is.
FYI my current reasoning and use of terms:
If a key/value pair is part of a CWT I call it a "claim".
If it is part of a request/response to the AS or RS I call it a "parameter".
I've been registering (or at least trying to) claims separately from
parameters, leading to several double-registrations, when certain
key/value definitions are used both as claims and parameters (such as
scope, cnf etc).
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace