- From: Nico Williams <nico@cryptonector.com>
- Date: Wed, 23 Jul 2025 15:22:17 -0500
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Brian Campbell <bcampbell@pingidentity.com>, Atul Tulshibagwale <atul@sgnl.ai>, ietf-http-wg@w3.org
On Tue, Jul 22, 2025 at 12:26:10PM +0200, Mark Nottingham wrote: > It appears that you have two choices: > > 1. Decompose the JWT into its components and convey them as Byte > Sequences, probably in a Dictionary or perhaps Inner List > 2. Convey that value as a String. What technical reason is there for > not wanting to put it in quotes? I don't recommend decomposing the JWT. We should treat JWTs as opaque. Suppose for example that someone wanted to extend JWTs to add, idk, a proof of possession or something where they add extra items all separated with ASCII '.', then any software that expects exactly three such items will break. RFC 2712 made the mistake of not treating Kerberos AP-REQs are opaque. Let's not repeat that. Nico --
Received on Wednesday, 23 July 2025 20:22:25 UTC