Cross-protocol attacks are prevented through the use of Explicit Typing, as
described in the JWT BCP at
https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing and
https://www.ietf.org/archive/id/draft-ietf-cose-typ-header-parameter-00.html.
-- Mike
-----Original Message-----
From: Carsten Bormann <[email protected]>
Sent: Friday, October 27, 2023 8:58 AM
To: Michael Jones <[email protected]>
Cc: Francesca Palombini <[email protected]>;
[email protected]; [email protected]; [email protected]
Subject: Re: [IANA #1284212] expert review for
draft-ietf-cose-cwt-claims-in-headers (cose)
On 2023-10-27, at 16:59, Michael Jones <[email protected]> wrote:
>
> Just like JWTs and CWTs, the CWT Claims Set in the header parameter is a data
> structure. It's the applications using them that profile them to use
> particular claims and assign them specific semantics in their context. An
> OpenID Connect ID Token defines semantics for a particular kind of JWT, just
> like STIR defines semantics for other kinds of JWTs. SCITT is assigning
> semantics to a particular use of the CWT Claims header parameter.
Hmm, that sounds like a recipe for cross-protocol attacks.
Grüße, Carsten
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
