I have an application for JWT that is not OAuth2. Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully.
On Aug 27, 2012, at 12:06 PM, axel.nenn...@telekom.de wrote: > I vote: NO > > I think that nonce does make sense in signing or encryption because it only > makes sense in a protocol exchange. > Maybe there is some justification for nonce in jwt but if jwt is used with > oauth2 then we already have state. > > Could one of the six who voted yes please explain why nonce is useful? > > Axel > > -----Original Message----- > From: jose-boun...@ietf.org [mailto:jose-boun...@ietf.org] On Behalf Of > Nennker, Axel > Sent: Monday, August 27, 2012 10:37 AM > To: i...@augustcellars.com; jose@ietf.org > Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter > > What is the base specification? > https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ? > I think that nonce and timestamp are protocol specific fields and that JOSE > is not about protocols. There are no round-trips in JOSE. > The cryptographic algorithms used in JOSE are secure enough without nounce > and timestamp. > > Axel > > -----Original Message----- > From: jose-boun...@ietf.org [mailto:jose-boun...@ietf.org] On Behalf Of Jim > Schaad > Sent: Friday, August 17, 2012 9:05 AM > To: jose@ietf.org > Subject: [jose] POLL: Nonce/Timestamp parameter > > <CHAIR> > > If you voted at the face-2-face please do not vote again. If you want to > provide comments please change the title from POLL to DISCUSS. > > Do we need to define a nonce/timestamp parameter in the base specification? > > > > Room vote: 6 yes, 0 no, 1 discuss > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
