ECT Claim Mapping: JWT to CWT
This document provides a standalone reference for mapping JWT claim names from draft-nennemann-wimse-execution-context to CWT integer keys defined in draft-nennemann-wimse-execution-context-cbor.
Standard CWT Claims (Existing IANA Registry)
| JWT Claim |
CWT Key |
CBOR Type |
Req/Opt |
Description |
Encoding Notes |
| iss |
1 |
tstr |
REQ |
Issuer (SPIFFE ID) |
Identical text |
| sub |
2 |
tstr |
OPT |
Subject (= iss) |
Identical text |
| aud |
3 |
tstr / [+ tstr] |
REQ |
Audience |
Identical text; array for multi-audience |
| exp |
4 |
int |
REQ |
Expiration |
Integer epoch seconds (no fractions) |
| iat |
6 |
int |
REQ |
Issued At |
Integer epoch seconds (no fractions) |
| jti / cti |
7 |
bstr .size 16 |
REQ |
Token ID / Task ID |
UUID as 16-byte binary (not 36-byte text); serves as both token and task identifier |
Note: nbf (CWT key 5) is not used in ECTs. The jti/cti claim serves as both the token identifier (for replay detection) and the task identifier (for DAG parent references in par), since each ECT records exactly one task.
ECT-Specific Claims (New Registrations)
| JWT Claim |
CWT Key |
CBOR Type |
Req/Opt |
Description |
Encoding Notes |
| wid |
300 |
bstr .size 16 |
OPT |
Workflow ID |
UUID as 16-byte binary |
| exec_act |
301 |
tstr |
REQ |
Action/task type |
Identical text |
| par |
302 |
[* bstr .size 16] |
REQ |
Parent ECT IDs |
Array of parent cti UUIDs (16-byte binary); empty = root |
| pol |
303 |
tstr |
OPT |
Policy rule ID |
Identical text; must be paired with pol_decision |
| pol_decision |
304 |
uint (0..2) |
OPT |
Policy decision |
0=approved, 1=rejected, 2=pending_human_review; must be paired with pol |
| pol_enforcer |
305 |
tstr |
OPT |
Policy enforcer |
Identical text (SPIFFE ID) |
| pol_timestamp |
306 |
int |
OPT |
Policy timestamp |
Integer epoch seconds |
| inp_hash |
307 |
[int, bstr] |
OPT |
Input data hash |
[COSE_alg_id, raw_hash_bytes] |
| out_hash |
308 |
[int, bstr] |
OPT |
Output data hash |
[COSE_alg_id, raw_hash_bytes] |
| inp_classification |
309 |
tstr |
OPT |
Input classification |
Identical text |
| exec_time_ms |
310 |
uint |
OPT |
Execution time (ms) |
Identical integer |
| regulated_domain |
311 |
uint (0..2) |
OPT |
Regulatory domain |
0=medtech, 1=finance, 2=military |
| model_version |
312 |
tstr |
OPT |
AI/ML model version |
Identical text |
| witnessed_by |
313 |
[+ tstr] |
OPT |
Witness identities |
Identical text array (SPIFFE IDs) |
| compensation_required |
314 |
bool |
OPT |
Compensation flag |
CBOR true/false |
| compensation_reason |
315 |
tstr |
OPT |
Compensation reason |
Identical text |
| ext |
316 |
map { tstr => any } |
OPT |
Extension map |
Keys: reverse domain notation; values: any CBOR |
Enumeration Mappings
Policy Decision Values (pol_decision)
| CBOR uint |
JWT string |
Description |
| 0 |
"approved" |
Policy evaluation succeeded |
| 1 |
"rejected" |
Policy evaluation failed |
| 2 |
"pending_human_review" |
Awaiting human judgment |
Regulated Domain Values (regulated_domain)
| CBOR uint |
JWT string |
Description |
| 0 |
"medtech" |
Medical technology and devices |
| 1 |
"finance" |
Financial services and trading |
| 2 |
"military" |
Military and defense |
Hash Algorithm Mapping
JWT ECTs use the string format "algorithm:base64url-hash". CBOR ECTs use the structured array [cose_algorithm_id, raw_hash_bytes].
| JWT Hash Algorithm String |
COSE Algorithm ID |
Reference |
| sha-256 |
-16 |
RFC 9053 |
| sha-384 |
-43 |
RFC 9053 |
| sha-512 |
-44 |
RFC 9053 |
| JOSE Parameter |
COSE Label |
CBOR Type |
Description |
| alg |
1 |
int |
Signature algorithm (e.g., -7 = ES256) |
| (content type) |
3 |
tstr / uint |
"application/wimse-exec+cwt" |
| kid |
4 |
bstr |
Key identifier from WIT |
| typ |
16 |
tstr |
"wimse-exec+cwt" |
Quick Reference: JWT Example to CBOR Diagnostic
JWT Payload
Equivalent CBOR Diagnostic
Christian Nennemann
ea188f1c22