idnits 2.17.1 draft-yusef-oauth-nested-jwt-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 11, 2019) is 1871 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ACME Working Group R. Shekh-Yusef 3 Internet-Draft Avaya 4 Intended status: Standards Track March 11, 2019 5 Expires: September 12, 2019 7 Nested JSON Web Token (JWT) 8 draft-yusef-oauth-nested-jwt-00 10 Abstract 12 This specification extends the scope of the Nested JSON Web Token 13 (JWT) to allow the enclosing JWT to contain its own Claims Set in 14 addition to the enclosed JWT. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on September 12, 2019. 33 Copyright Notice 35 Copyright (c) 2019 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 This document may contain material from IETF Documents or IETF 49 Contributions published or made publicly available before November 50 10, 2008. The person(s) controlling the copyright in some of this 51 material may not have granted the IETF Trust the right to allow 52 modifications of such material outside the IETF Standards Process. 53 Without obtaining an adequate license from the person(s) controlling 54 the copyright in such materials, this document may not be modified 55 outside the IETF Standards Process, and derivative works of it may 56 not be created outside the IETF Standards Process, except to format 57 it for publication as an RFC or to translate it into languages other 58 than English. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3. JWT Content Type Header Parameter . . . . . . . . . . . . . . 3 66 4. JWT Content . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 69 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 70 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 4 71 9. Normative References . . . . . . . . . . . . . . . . . . . . 4 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 74 1. Introduction 76 JSON Web Token (JWT) is a mechanism that is used to transfer claims 77 between two parties across security domains. Nested JWT is a JWT in 78 which the payload is another JWT. The current specification does not 79 define a means by which the enclosing JWT could have its own Claims 80 Set, only the enclosed JWT would have claims. 82 This specification extends the scope of the Nested JWT to allow the 83 enclosing JWT to contain its own Claims Set in addition to the 84 enclosed JWT. 86 1.1. Terminology 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in [RFC2119]. 92 2. Overview 94 RFC7519 defines Nested JWT as a JWT in which nested signing and/or 95 encryption are employed. In Nested JWTs, a JWT is used as the 96 payload or plaintext value of an enclosing JWS or JWE structure, 97 respectively. 99 To indicate that the payload of an enclosing JWT is yet another JWT, 100 the value of the Content Type Parameter of the JOSE header, i.e. 101 "cty", must be set to "JWT", which means that the enclosing JWT 102 cannot have its own claims. 104 This document updates the enclosing JWT content to allow it to 105 represent a Claims Set and an enclosed JWT, using JSON data 106 structures, and updates the Content Type to indicate this new nested 107 content. 109 3. JWT Content Type Header Parameter 111 The JOSE Header contains an optional parameter that could be used to 112 indicate the type of the payload of a JWT. With a typical Nested 113 JWT, the value of the "cty" header must be "JWT". To indicate that 114 the payload contains a Claims Set in addition to the JWT, the value 115 of the "cty" header must be "NJWT". 117 4. JWT Content 119 The payload of the enclosing JWT is JSON object that contains the 120 Claims Set, and one new claim that is used to hold the enclosed JWT. 122 This document defines a new claim, "njwt", that is used to contain 123 the enclosed JWT. 125 5. Example 127 { 128 "alg": "HS256", 129 "typ": "JWT", 130 "cty": "NJWT" 131 } 133 { 134 "sub": "1234567890", 135 "name": "John Doe", 136 "iat": 1516239022, 137 "njwt": "" 138 } 140 6. Security Considerations 142 TODO 144 7. IANA Considerations 146 TODO 148 8. Acknowledgments 150 TODO 152 9. Normative References 154 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 155 Requirement Levels", RFC 2119, March 1997. 157 Author's Address 159 Rifaat Shekh-Yusef 160 Avaya 161 250 Sidney Street 162 Belleville, Ontario 163 Canada 165 Phone: +1-613-967-5176 166 EMail: rifaat.ietf@gmail.com