RFC Errata
RFC 8392, "CBOR Web Token (CWT)", May 2018
Source of RFC: ace (sec)
Errata ID: 8617
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Rohan Mahy
Date Reported: 2025-10-29
Section 2 says:
NumericDate
The "NumericDate" term in this specification has the same meaning
and processing rules as the JWT "NumericDate" term defined in
Section 2 of [RFC7519], except that it is represented as a CBOR
numeric date (from Section 2.4.1 of [RFC7049]) instead of a JSON
number. The encoding is modified so that the leading tag 1
(epoch-based date/time) MUST be omitted.
It should say:
NumericDate
The "NumericDate" term in this specification has the same meaning
and processing rules as the JWT "NumericDate" term defined in
Section 2 of [RFC7519], except that it is represented as a finite
CBOR numeric date (from Section 2.4.1 of [RFC7049]) instead of a
JSON number. The encoding is modified so that the leading tag 1
(epoch-based date/time) MUST be omitted.
Notes:
Section 2.4.1 of RFC7049 says that the value is a negative or positive integer or a floating point *number* (which does not include NaN floating pointing point values), but it does not say anything about floating point positive and negative infinity. This is likely to be missed by most implementers of RFC 8392.
A JWT "NumericDate" was intended to mimic a value which can be expressed in JSON. JSON does not allow infinite values.
In addition, exp, nbf, and iat all share the same type. The iat is the "issued at" date. The idea of a creation date with an infinite value is nonsensical.