< draft-ietf-oauth-json-web-token-18.txt   draft-ietf-oauth-json-web-token-19.txt >
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track J. Bradley Intended status: Standards Track J. Bradley
Expires: September 4, 2014 Ping Identity Expires: September 19, 2014 Ping Identity
N. Sakimura N. Sakimura
NRI NRI
March 3, 2014 March 18, 2014
JSON Web Token (JWT) JSON Web Token (JWT)
draft-ietf-oauth-json-web-token-18 draft-ietf-oauth-json-web-token-19
Abstract Abstract
JSON Web Token (JWT) is a compact URL-safe means of representing JSON Web Token (JWT) is a compact URL-safe means of representing
claims to be transferred between two parties. The claims in a JWT claims to be transferred between two parties. The claims in a JWT
are encoded as a JavaScript Object Notation (JSON) object that is are encoded as a JavaScript Object Notation (JSON) object that is
used as the payload of a JSON Web Signature (JWS) structure or as the used as the payload of a JSON Web Signature (JWS) structure or as the
plaintext of a JSON Web Encryption (JWE) structure, enabling the plaintext of a JSON Web Encryption (JWE) structure, enabling the
claims to be digitally signed or MACed and/or encrypted. claims to be digitally signed or MACed and/or encrypted.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 4, 2014. This Internet-Draft will expire on September 19, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 38 skipping to change at page 2, line 38
4.2. Public Claim Names . . . . . . . . . . . . . . . . . . . . 10 4.2. Public Claim Names . . . . . . . . . . . . . . . . . . . . 10
4.3. Private Claim Names . . . . . . . . . . . . . . . . . . . 10 4.3. Private Claim Names . . . . . . . . . . . . . . . . . . . 10
5. JWT Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. JWT Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 11 5.1. "typ" (Type) Header Parameter . . . . . . . . . . . . . . 11
5.2. "cty" (Content Type) Header Parameter . . . . . . . . . . 11 5.2. "cty" (Content Type) Header Parameter . . . . . . . . . . 11
5.3. Replicating Claims as Header Parameters . . . . . . . . . 11 5.3. Replicating Claims as Header Parameters . . . . . . . . . 11
6. Plaintext JWTs . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Plaintext JWTs . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Example Plaintext JWT . . . . . . . . . . . . . . . . . . 12 6.1. Example Plaintext JWT . . . . . . . . . . . . . . . . . . 12
7. Rules for Creating and Validating a JWT . . . . . . . . . . . 13 7. Rules for Creating and Validating a JWT . . . . . . . . . . . 13
7.1. String Comparison Rules . . . . . . . . . . . . . . . . . 14 7.1. String Comparison Rules . . . . . . . . . . . . . . . . . 14
8. Cryptographic Algorithms . . . . . . . . . . . . . . . . . . . 15 8. Implementation Requirements . . . . . . . . . . . . . . . . . 15
9. URI for Declaring that Content is a JWT . . . . . . . . . . . 15 9. URI for Declaring that Content is a JWT . . . . . . . . . . . 15
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
10.1. JSON Web Token Claims Registry . . . . . . . . . . . . . . 15 10.1. JSON Web Token Claims Registry . . . . . . . . . . . . . . 16
10.1.1. Registration Template . . . . . . . . . . . . . . . . 16 10.1.1. Registration Template . . . . . . . . . . . . . . . . 17
10.1.2. Initial Registry Contents . . . . . . . . . . . . . . 17 10.1.2. Initial Registry Contents . . . . . . . . . . . . . . 17
10.2. Sub-Namespace Registration of 10.2. Sub-Namespace Registration of
urn:ietf:params:oauth:token-type:jwt . . . . . . . . . . . 18 urn:ietf:params:oauth:token-type:jwt . . . . . . . . . . . 18
10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 18 10.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 18
10.3. Media Type Registration . . . . . . . . . . . . . . . . . 18 10.3. Media Type Registration . . . . . . . . . . . . . . . . . 18
10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 18 10.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 18
10.4. Registration of JWE Header Parameter Names . . . . . . . . 19 10.4. Registration of JWE Header Parameter Names . . . . . . . . 19
10.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 19 10.4.1. Registry Contents . . . . . . . . . . . . . . . . . . 19
11. Security Considerations . . . . . . . . . . . . . . . . . . . 19 11. Security Considerations . . . . . . . . . . . . . . . . . . . 19
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
12.1. Normative References . . . . . . . . . . . . . . . . . . . 20 12.1. Normative References . . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . . 21 12.2. Informative References . . . . . . . . . . . . . . . . . . 21
Appendix A. JWT Examples . . . . . . . . . . . . . . . . . . . . 22 Appendix A. JWT Examples . . . . . . . . . . . . . . . . . . . . 22
A.1. Example Encrypted JWT . . . . . . . . . . . . . . . . . . 22 A.1. Example Encrypted JWT . . . . . . . . . . . . . . . . . . 22
A.2. Example Nested JWT . . . . . . . . . . . . . . . . . . . . 23 A.2. Example Nested JWT . . . . . . . . . . . . . . . . . . . . 23
Appendix B. Relationship of JWTs to SAML Assertions . . . . . . . 25 Appendix B. Relationship of JWTs to SAML Assertions . . . . . . . 25
Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 25 Appendix C. Relationship of JWTs to Simple Web Tokens (SWTs) . . 26
Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 25 Appendix D. Acknowledgements . . . . . . . . . . . . . . . . . . 26
Appendix E. Document History . . . . . . . . . . . . . . . . . . 26 Appendix E. Document History . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction 1. Introduction
JSON Web Token (JWT) is a compact claims representation format JSON Web Token (JWT) is a compact claims representation format
intended for space constrained environments such as HTTP intended for space constrained environments such as HTTP
Authorization headers and URI query parameters. JWTs encode claims Authorization headers and URI query parameters. JWTs encode claims
to be transmitted as a JavaScript Object Notation (JSON) [RFC7158] to be transmitted as a JavaScript Object Notation (JSON) [RFC7159]
object that is used as the payload of a JSON Web Signature (JWS) object that is used as the payload of a JSON Web Signature (JWS)
[JWS] structure or as the plaintext of a JSON Web Encryption (JWE) [JWS] structure or as the plaintext of a JSON Web Encryption (JWE)
[JWE] structure, enabling the claims to be digitally signed or MACed [JWE] structure, enabling the claims to be digitally signed or MACed
and/or encrypted. JWTs are always represented using the JWS Compact and/or encrypted. JWTs are always represented using the JWS Compact
Serialization or the JWE Compact Serialization. Serialization or the JWE Compact Serialization.
The suggested pronunciation of JWT is the same as the English word The suggested pronunciation of JWT is the same as the English word
"jot". "jot".
1.1. Notational Conventions 1.1. Notational Conventions
skipping to change at page 6, line 22 skipping to change at page 6, line 22
IntDate IntDate
A JSON numeric value representing the number of seconds from 1970- A JSON numeric value representing the number of seconds from 1970-
01-01T0:0:0Z UTC until the specified UTC date/time. See RFC 3339 01-01T0:0:0Z UTC until the specified UTC date/time. See RFC 3339
[RFC3339] for details regarding date/times in general and UTC in [RFC3339] for details regarding date/times in general and UTC in
particular. particular.
3. JSON Web Token (JWT) Overview 3. JSON Web Token (JWT) Overview
JWTs represent a set of claims as a JSON object that is encoded in a JWTs represent a set of claims as a JSON object that is encoded in a
JWS and/or JWE structure. This JSON object is the JWT Claims Set. As JWS and/or JWE structure. This JSON object is the JWT Claims Set. As
per Section 4 of [RFC7158], the JSON object consists of zero or more per Section 4 of [RFC7159], the JSON object consists of zero or more
name/value pairs (or members), where the names are strings and the name/value pairs (or members), where the names are strings and the
values are arbitrary JSON values. These members are the claims values are arbitrary JSON values. These members are the claims
represented by the JWT. represented by the JWT.
The member names within the JWT Claims Set are referred to as Claim The member names within the JWT Claims Set are referred to as Claim
Names. The corresponding values are referred to as Claim Values. Names. The corresponding values are referred to as Claim Values.
The contents of the JWT Header describe the cryptographic operations The contents of the JWT Header describe the cryptographic operations
applied to the JWT Claims Set. If the JWT Header is a JWS Header, the applied to the JWT Claims Set. If the JWT Header is a JWS Header, the
JWT is represented as a JWS, and the claims are digitally signed or JWT is represented as a JWS, and the claims are digitally signed or
skipping to change at page 14, line 15 skipping to change at page 14, line 15
1. The JWT MUST contain at least one period ('.') character. 1. The JWT MUST contain at least one period ('.') character.
2. Let the Encoded JWT Header be the portion of the JWT before the 2. Let the Encoded JWT Header be the portion of the JWT before the
first period ('.') character. first period ('.') character.
3. The Encoded JWT Header MUST be successfully base64url decoded 3. The Encoded JWT Header MUST be successfully base64url decoded
following the restriction given in this specification that no following the restriction given in this specification that no
padding characters have been used. padding characters have been used.
4. The resulting JWT Header MUST be completely valid JSON syntax 4. The resulting JWT Header MUST be completely valid JSON syntax
conforming to [RFC7158]. conforming to [RFC7159].
5. The resulting JWT Header MUST be validated to only include 5. The resulting JWT Header MUST be validated to only include
parameters and values whose syntax and semantics are both parameters and values whose syntax and semantics are both
understood and supported or that are specified as being ignored understood and supported or that are specified as being ignored
when not understood. when not understood.
6. Determine whether the JWT is a JWS or a JWE using any of the 6. Determine whether the JWT is a JWS or a JWE using any of the
methods described in Section 9 of [JWE]. methods described in Section 9 of [JWE].
7. Depending upon whether the JWT is a JWS or JWE, there are two 7. Depending upon whether the JWT is a JWS or JWE, there are two
skipping to change at page 14, line 44 skipping to change at page 14, line 44
JWE Plaintext. JWE Plaintext.
8. If the JWT Header contains a "cty" (content type) value of 8. If the JWT Header contains a "cty" (content type) value of
"JWT", then the Message is a JWT that was the subject of nested "JWT", then the Message is a JWT that was the subject of nested
signing or encryption operations. In this case, return to Step signing or encryption operations. In this case, return to Step
1, using the Message as the JWT. 1, using the Message as the JWT.
9. Otherwise, let the JWT Claims Set be the Message. 9. Otherwise, let the JWT Claims Set be the Message.
10. The JWT Claims Set MUST be completely valid JSON syntax 10. The JWT Claims Set MUST be completely valid JSON syntax
conforming to [RFC7158]. conforming to [RFC7159].
7.1. String Comparison Rules 7.1. String Comparison Rules
Processing a JWT inevitably requires comparing known strings to Processing a JWT inevitably requires comparing known strings to
values in JSON objects. For example, in checking what the algorithm values in JSON objects. For example, in checking what the algorithm
is, the Unicode string encoding "alg" will be checked against the is, the Unicode string encoding "alg" will be checked against the
member names in the JWT Header to see if there is a matching Header member names in the JWT Header to see if there is a matching Header
Parameter Name. Parameter Name.
Comparisons between JSON strings and other Unicode strings MUST be Comparisons between JSON strings and other Unicode strings MUST be
performed by comparing Unicode code points without normalization, as performed by comparing Unicode code points without normalization, as
specified in the String Comparison Rules in Section 5.3 of [JWS]. specified in the String Comparison Rules in Section 5.3 of [JWS].
8. Cryptographic Algorithms 8. Implementation Requirements
JWTs use JSON Web Signature (JWS) [JWS] and JSON Web Encryption (JWE) This section defines which algorithms and features of this
[JWE] to sign and/or encrypt the contents of the JWT. specification are mandatory to implement. Applications using this
specification can impose additional requirements upon implementations
that they use. For instance, an application might require support
for encrypted JWTs and Nested JWTs; another might require support for
signing JWTs with ECDSA using the P-256 curve and the SHA-256 hash
algorithm ("ES256").
Of the signature and MAC algorithms specified in JSON Web Algorithms Of the signature and MAC algorithms specified in JSON Web Algorithms
(JWA) [JWA], only HMAC SHA-256 ("HS256") and "none" MUST be (JWA) [JWA], only HMAC SHA-256 ("HS256") and "none" MUST be
implemented by conforming JWT implementations. It is RECOMMENDED implemented by conforming JWT implementations. It is RECOMMENDED
that implementations also support RSASSA-PKCS1-V1_5 with the SHA-256 that implementations also support RSASSA-PKCS1-V1_5 with the SHA-256
hash algorithm ("RS256") and ECDSA using the P-256 curve and the SHA- hash algorithm ("RS256") and ECDSA using the P-256 curve and the SHA-
256 hash algorithm ("ES256"). Support for other algorithms and key 256 hash algorithm ("ES256"). Support for other algorithms and key
sizes is OPTIONAL. sizes is OPTIONAL.
If an implementation provides encryption capabilities, of the Support for encrypted JWTs is OPTIONAL. If an implementation
encryption algorithms specified in [JWA], only RSAES-PKCS1-V1_5 with provides encryption capabilities, of the encryption algorithms
2048 bit keys ("RSA1_5"), AES Key Wrap with 128 and 256 bit keys specified in [JWA], only RSAES-PKCS1-V1_5 with 2048 bit keys
("A128KW" and "A256KW"), and the composite authenticated encryption ("RSA1_5"), AES Key Wrap with 128 and 256 bit keys ("A128KW" and
algorithm using AES CBC and HMAC SHA-2 ("A128CBC-HS256" and "A256KW"), and the composite authenticated encryption algorithm using
"A256CBC-HS512") MUST be implemented by conforming implementations. AES CBC and HMAC SHA-2 ("A128CBC-HS256" and "A256CBC-HS512") MUST be
It is RECOMMENDED that implementations also support using ECDH-ES to implemented by conforming implementations. It is RECOMMENDED that
agree upon a key used to wrap the Content Encryption Key implementations also support using ECDH-ES to agree upon a key used
("ECDH-ES+A128KW" and "ECDH-ES+A256KW") and AES in Galois/Counter to wrap the Content Encryption Key ("ECDH-ES+A128KW" and
Mode (GCM) with 128 bit and 256 bit keys ("A128GCM" and "A256GCM"). "ECDH-ES+A256KW") and AES in Galois/Counter Mode (GCM) with 128 bit
Support for other algorithms and key sizes is OPTIONAL. and 256 bit keys ("A128GCM" and "A256GCM"). Support for other
algorithms and key sizes is OPTIONAL.
Support for Nested JWTs is OPTIONAL.
9. URI for Declaring that Content is a JWT 9. URI for Declaring that Content is a JWT
This specification registers the URN This specification registers the URN
"urn:ietf:params:oauth:token-type:jwt" for use by applications that "urn:ietf:params:oauth:token-type:jwt" for use by applications that
declare content types using URIs (rather than, for instance, MIME declare content types using URIs (rather than, for instance, MIME
Media Types) to indicate that the content referred to is a JWT. Media Types) to indicate that the content referred to is a JWT.
10. IANA Considerations 10. IANA Considerations
skipping to change at page 20, line 45 skipping to change at page 21, line 6
5.1 Edition", ECMA 262, June 2011. 5.1 Edition", ECMA 262, June 2011.
[IANA.MediaTypes] [IANA.MediaTypes]
Internet Assigned Numbers Authority (IANA), "MIME Media Internet Assigned Numbers Authority (IANA), "MIME Media
Types", 2005. Types", 2005.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", [JWA] Jones, M., "JSON Web Algorithms (JWA)",
draft-ietf-jose-json-web-algorithms (work in progress), draft-ietf-jose-json-web-algorithms (work in progress),
March 2014. March 2014.
[JWE] Jones, M., Rescorla, E., and J. Hildebrand, "JSON Web [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
Encryption (JWE)", draft-ietf-jose-json-web-encryption draft-ietf-jose-json-web-encryption (work in progress),
(work in progress), March 2014. March 2014.
[JWK] Jones, M., "JSON Web Key (JWK)", [JWK] Jones, M., "JSON Web Key (JWK)",
draft-ietf-jose-json-web-key (work in progress), draft-ietf-jose-json-web-key (work in progress),
March 2014. March 2014.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), March 2014. in progress), March 2014.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
skipping to change at page 21, line 24 skipping to change at page 21, line 32
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005. RFC 3986, January 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006. Encodings", RFC 4648, October 2006.
[RFC7158] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7158, March 2014. Interchange Format", RFC 7159, March 2014.
12.2. Informative References 12.2. Informative References
[CanvasApp] [CanvasApp]
Facebook, "Canvas Applications", 2010. Facebook, "Canvas Applications", 2010.
[JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign", [JSS] Bradley, J. and N. Sakimura (editor), "JSON Simple Sign",
September 2010. September 2010.
[MagicSignatures] [MagicSignatures]
skipping to change at page 25, line 19 skipping to change at page 25, line 40
than supported by JWTs. However, the cost of this flexibility and than supported by JWTs. However, the cost of this flexibility and
expressiveness is both size and complexity. SAML's use of XML expressiveness is both size and complexity. SAML's use of XML
[W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the [W3C.CR-xml11-20021015] and XML DSIG [RFC3275] contributes to the
size of SAML assertions; its use of XML and especially XML size of SAML assertions; its use of XML and especially XML
Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their Canonicalization [W3C.REC-xml-c14n-20010315] contributes to their
complexity. complexity.
JWTs are intended to provide a simple security token format that is JWTs are intended to provide a simple security token format that is
small enough to fit into HTTP headers and query arguments in URIs. small enough to fit into HTTP headers and query arguments in URIs.
It does this by supporting a much simpler token model than SAML and It does this by supporting a much simpler token model than SAML and
using the JSON [RFC7158] object encoding syntax. It also supports using the JSON [RFC7159] object encoding syntax. It also supports
securing tokens using Message Authentication Codes (MACs) and digital securing tokens using Message Authentication Codes (MACs) and digital
signatures using a smaller (and less flexible) format than XML DSIG. signatures using a smaller (and less flexible) format than XML DSIG.
Therefore, while JWTs can do some of the things SAML assertions do, Therefore, while JWTs can do some of the things SAML assertions do,
JWTs are not intended as a full replacement for SAML assertions, but JWTs are not intended as a full replacement for SAML assertions, but
rather as a token format to be used when ease of implementation or rather as a token format to be used when ease of implementation or
compactness are considerations. compactness are considerations.
SAML Assertions are always statements made by an entity about a SAML Assertions are always statements made by an entity about a
subject. JWTs are often used in the same manner, with the entity subject. JWTs are often used in the same manner, with the entity
skipping to change at page 26, line 28 skipping to change at page 26, line 48
Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner. Schaad, Paul Tarjan, Hannes Tschofenig, and Sean Turner.
Hannes Tschofenig and Derek Atkins chaired the OAuth working group Hannes Tschofenig and Derek Atkins chaired the OAuth working group
and Sean Turner and Stephen Farrell served as Security area directors and Sean Turner and Stephen Farrell served as Security area directors
during the creation of this specification. during the creation of this specification.
Appendix E. Document History Appendix E. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-19
o Specified that support for Nested JWTs is optional and that
applications using this specification can impose additional
requirements upon implementations that they use.
o Updated the JSON reference to RFC 7159.
-18 -18
o Clarified that the base64url encoding includes no line breaks, o Clarified that the base64url encoding includes no line breaks,
white space, or other additional characters. white space, or other additional characters.
o Removed circularity in the audience claim definition. o Removed circularity in the audience claim definition.
o Clarified that it is entirely up to applications which claims to o Clarified that it is entirely up to applications which claims to
use. use.
 End of changes. 19 change blocks. 
35 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/