This was simplified in -3 in a way that removes the abused MUST. It now reads: At least one of the "sub" and "iss" claims MUST be present in the JWT. Some use cases may require that both be present.
-- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell Sent: Sunday, March 22, 2015 6:54 PM To: oauth Subject: [OAUTH-WG] 2119 abuse at the end of section 3 proof-of-possession-02 At the end of section 3<https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3> it says, 'At least one of the "sub" and "iss" claims MUST be present in the JWT, and in some use cases, both MUST be present.' Admittedly I've misused RFC 2119 keywords a few times myself, so I say this aware of my own hypocrisy, but shouldn't the second "MUST" in that sentience be a little "must"? I don't think "some use cases" is enough to know when it applies. Maybe even spitting it up into two sentences? Something like, 'At least one of the "sub" and "iss" claims MUST be present in the JWT. Some use cases may require that both be present.'
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth