Security Event Token (SET) spec incorporating clarifications and a RISC example

IETF logoA new version of the Security Event Token (SET) specification has been published that incorporates clarifications suggested by working group members in discussions since IETF 100. Changes were:

  • Clarified that all “events” values must represent aspects of the same state change that occurred to the subject — not an aggregation of unrelated events about the subject.
  • Removed ambiguities about the roles of multiple “events” values and the responsibilities of profiling specifications for defining how and when they are used.
  • Corrected places where the term JWT was used when what was actually being discussed was the JWT Claims Set.
  • Addressed terminology inconsistencies. In particular, standardized on using the term “issuer” to align with JWT terminology and the “iss” claim. Previously the term “transmitter” was sometimes used and “issuer” was sometimes used. Likewise, standardized on using the term “recipient” instead of “receiver” for the same reasons.
  • Added a RISC event example, courtesy Marius Scurtescu.
  • Applied wording clarifications suggested by Annabelle Backman and Yaron Sheffer.
  • Applied numerous grammar, syntax, and formatting corrections.

No changes to the semantics of the specification were made.

The specification is available at:

An HTML-formatted version is also available at:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.