Security Event Token (SET) is now RFC 8417

IETF logoThe Security Event Token (SET) specification is now RFC 8417. The abstract describes the specification as:

This specification defines the Security Event Token (SET) data structure. A SET describes statements of fact from the perspective of an issuer about a subject. These statements of fact represent an event that occurred directly to or about a security subject, for example, a statement about the issuance or revocation of a token on behalf of a subject. This specification is intended to enable representing security- and identity-related events. A SET is a JSON Web Token (JWT), which can be optionally signed and/or encrypted. SETs can be distributed via protocols such as HTTP.

SETs are already in use to represent OpenID Connect Back-Channel Logout tokens and to represent Risk and Incident Sharing and Coordination (RISC) events. Thanks to my co-editors, members of the IETF ID Events mailing list, and members of the IETF Security Continue reading "Security Event Token (SET) is now RFC 8417"

OAuth 2.0 Authorization Server Metadata is now RFC 8414

OAuth logoThe OAuth 2.0 Authorization Server Metadata specification is now RFC 8414. The abstract describes the specification as:

This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.

The specification defines a JSON metadata representation for OAuth 2.0 authorization servers that is compatible with OpenID Connect Discovery 1.0. This specification is a true instance of standardizing existing practice. OAuth 2.0 deployments have been using the OpenID Connect metadata format to describe their endpoints and capabilities for years. This RFC makes this existing practice a standard.

Having a standard OAuth metadata format makes it easier for OAuth clients to configure connections to OAuth authorization servers. See https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata for the initial set of registered metadata values.

Thanks to all of Continue reading "OAuth 2.0 Authorization Server Metadata is now RFC 8414"

Security Event Token (SET) updates addressing IESG feedback

IETF logoWe’ve updated the Security Event Token (SET) specification to address feedback received from Internet Engineering Steering Group (IESG) members. We’ve actually published three versions in quick succession in preparation for tomorrow’s evaluation by the IESG.

Draft -11 incorporated feedback from Security Area Director Eric Rescorla and IANA Designated Expert Ned Freed. Changes were:

  • Clarified “iss” claim language about the SET issuer versus the security subject issuer.
  • Changed a “SHOULD” to a “MUST” in the “sub” claim description to be consistent with the Requirements for SET Profiles section.
  • Described the use of the “events” claim to prevent attackers from passing off other kinds of JWTs as SETs.
  • Stated that SETs are to be signed by an issuer that is trusted to do so for the use case.
  • Added quotes in the phrase ‘”token revoked” SET to be issued’ in the Timing Issues section.
  • Added section number references to the media type Continue reading "Security Event Token (SET) updates addressing IESG feedback"

JWT BCP updates addressing WGLC feedback

OAuth logoThe JSON Web Token (JWT) Best Current Practices (BCP) specification has been updated to address the Working Group Last Call (WGLC) feedback received. Thanks to Neil Madden for his numerous comments and to Carsten Bormann and Brian Campbell for their reviews.

Assuming the chairs concur, the next step should be to request publication.

The specification is available at:

An HTML-formatted version is also available at:

“CBOR Web Token (CWT)” is now RFC 8392

IETF logoThe “CBOR Web Token (CWT)” specification is now RFC 8392 – an IETF standard. The abstract for the specification is:

CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are encoded in the Concise Binary Object Representation (CBOR) and CBOR Object Signing and Encryption (COSE) is used for added application-layer security protection. A claim is a piece of information asserted about a subject and is represented as a name/value pair consisting of a claim name and a claim value. CWT is derived from JSON Web Token (JWT) but uses CBOR rather than JSON.

Special thanks to Erik Wahlström for starting this work and to Samuel Erdtman for doing most of the heavy lifting involved in creating correct and useful CBOR and COSE examples.

Next up – finishing “Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)”, Continue reading "“CBOR Web Token (CWT)” is now RFC 8392"

Security Event Token (SET) spec addressing additional SecDir review comments

IETF logoAn updated Security Event Token (SET) specification has published to address recent review comments received. Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s additional SecDir comments.
  • Registered +jwt structured syntax suffix.

The specification is available at:

An HTML-formatted version is also available at:

Late-breaking changes to OAuth Token Exchange syntax

OAuth logoThe syntax of two JWT claims registered by the OAuth Token Exchange specification has been changed as a result of developer feedback. Developers pointed out that the OAuth Token Introspection specification [RFC 7662] uses a “scope” string to represent scope values, whereas Token Exchange was defining an array-valued “scp” claim to represent scope values. The former also uses a “client_id” element to represent OAuth Client ID values, whereas the latter was using a “cid” claim for the same purpose.

After consulting with the working group, the OAuth Token Exchange claim names have been changed to “scope” and “client_id”. Thanks to Torsten Lodderstedt for pointing out the inconsistencies and to Brian Campbell for seeking consensus and making the updates.

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec addressing SecDir review comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses comments from Russ Housley, who reviewed the spec for the IETF Security Directorate (SecDir). Changes were:

  • Incorporated wording improvements resulting from Russ Housley’s SecDir comments.
  • Acknowledged individuals who made significant contributions.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) spec for the RFC Editor

IETF logoOne more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was:

  • Added section references when the terms “NumericDate” and “StringOrURI” are used, as suggested by Adam Roach.

Special thanks to Security Area Director Kathleen Moriarty for helping get this across the finish line!

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) spec addressing IESG comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were:

  • Cleaned up the descriptions of the numeric ranges of claim keys being registered in the registration template for the “CBOR Web Token (CWT) Claims” registry, as suggested by Adam Roach.
  • Clarified the relationships between the JWT and CWT “NumericDate” and “StringOrURI” terms, as suggested by Adam Roach.
  • Eliminated unnecessary uses of the word “type”, as suggested by Adam Roach.
  • Added the text “IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list” from RFC 7519, as suggested by Amanda Baber of IANA, which is also intended to address Alexey Melnikov’s comment.
  • Removed a superfluous comma, as suggested by Warren Kumari.
  • Acknowledged additional reviewers.

Special thanks to Security Area Director Kathleen Moriarty for helping get this across Continue reading "CBOR Web Token (CWT) spec addressing IESG comments"

CBOR Web Token (CWT) draft addressing IETF last call comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were:

  • Clarified the registration criteria applied to different ranges of Claim Key values, as suggested by Kathleen Moriarty and Dan Romascanu.
  • No longer describe the syntax of CWT claims as being the same as that of the corresponding JWT claims, as suggested by Kyle Rose.
  • Added guidance about the selection of the Designated Experts, as suggested by Benjamin Kaduk.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Authorization Server Metadata spec addressing additional IESG feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address additional IESG feedback. The only change was to clarify the meaning of “case-insensitive”, as suggested by Alexey Melnikov.

The specification is available at:

An HTML-formatted version is also available at:

Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec with a few improvements

IETF logoA few local improvements have been made to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Changes were:

  • Changed “typically” to “often” when describing ways of performing proof of possession.
  • Changed b64 to hex encoding in an example.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Samuel Erdtman for sharing the editing.

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec addressing 2nd WGLC and shepherd comments

IETF logoA new draft of the Security Event Token (SET) specification has published that addresses review comments from the second Working Group Last Call and shepherd comments from Yaron Sheffer. Changes were:

  • Changed “when the event was issued” to “when the SET was issued” in the “iat” description, as suggested by Annabelle Backman.
  • Applied editorial improvements that improve the consistency of the specification that were suggested by Annabelle Backman, Marius Scurtescu, and Yaron Sheffer.

The specification is available at:

An HTML-formatted version is also available at:

OAuth Authorization Server Metadata spec addressing IESG feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to address feedback received from IESG members. Changes were:

  • Revised the transformation between the issuer identifier and the authorization server metadata location to conform to BCP 190, as suggested by Adam Roach.
  • Defined the characters allowed in registered metadata names and values, as suggested by Alexey Melnikov.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate, as suggested by Ben Campbell.
  • Acknowledged additional reviewers.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) draft addressing shepherd review comments

IETF logoThe CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were:

  • Updated the RFC 5226 reference to RFC 8126.
  • Made the IANA registration criteria consistent across sections.
  • Stated that registrations for the limited set of values between -256 and 255 and strings of length 1 are to be restricted to claims with general applicability.
  • Changed the “Reference” field name to “Description of Semantics” in the CBOR Tag registration request.
  • Asked the RFC Editor whether it is possible to preserve the non-ASCII spellings of the names Erik Wahlström and Göran Selander in the final specification.

Thanks to Ben for his careful review of the specification!

The specification is available at:

An HTML-formatted version is also available at:

Security Event Token (SET) spec simplifying claims usage

IETF logoThe Security Event Token (SET) specification has been updated to simplify the definitions and usage of the “iat” (issued at) and “toe” (time of event) claims. The full set of changes made was:

  • Simplified the definitions of the “iat” and “toe” claims in ways suggested by Annabelle Backman.
  • Added privacy considerations text suggested by Annabelle Backman.
  • Updated the RISC event example, courtesy of Marius Scurtescu.
  • Reordered the claim definitions to place the required claims first.
  • Changed to using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate.

Thanks to Annabelle Backman, Marius Scurtescu, Phil Hunt, and Dick Hardt for the discussions that led to these simplifications.

The specification is available at:

An HTML-formatted version is also available at:

CBOR Web Token (CWT) draft correcting an example

IETF logoA new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is:

  • Corrected the “iv” value in the signed and encrypted CWT example.
  • Mention CoAP in the application/cwt media type registration.
  • Changed references of the form “Section 4.1.1 of JWT <xref target="RFC7519"/>” to “Section 4.1.1 of <xref target="RFC7519"/>” so that rfcmarkup will generate correct external section reference links.
  • Updated Acknowledgements.

Thanks to Samuel Erdtman for validating all the examples once more and finding the issue with the signed and encrypted example. Thanks to Benjamin Kaduk for pointing out additional improvements that could be applied from the second WGLC comments.

The specification is available at:

An HTML-formatted version is also available at: