The Wonderful World of Tokens and Claims: CWT — CBOR Web Tokens

As we go back to work, we might have to get someone to sign a claim that we are allowed back into our offices. For this, we might get someone trusted to sign a document (an issuer), and then we show this to a verifier at the front door, in order to gain access. We thus make a claim to something, and where the signature is trusted by the verifier. There then doesn’t have to be any contact between the issuer and the verifier, as the signature is known and trusted. But what about our digital world?

Well, basically, we live in a legacy software world.

Most of what we process and store is untrusted, and cannot really be traced for its correctness. If we started the Internet now, we would probably encapsulate our data and integrate integrity checks, and digitally sign things for their correctness and trustworthiness. For the rights to any data and servers, we would show digitally signed claims to things, and that we can gain and then pass to a verifier to give us rights. Basically, too, we would live in a zero-trust world, and where we had no rights to anything unless we had a signed claim on something. This claim could last for an hour or for years but would be limited in some way.

And so we should be moving into a world of tokens and claims. You probably already do this when you are…