I vote: NO I think that nonce does make sense in signing or encryption because it only makes sense in a protocol exchange. Maybe there is some justification for nonce in jwt but if jwt is used with oauth2 then we already have state.
Could one of the six who voted yes please explain why nonce is useful? Axel -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nennker, Axel Sent: Monday, August 27, 2012 10:37 AM To: [email protected]; [email protected] Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter What is the base specification? https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ? I think that nonce and timestamp are protocol specific fields and that JOSE is not about protocols. There are no round-trips in JOSE. The cryptographic algorithms used in JOSE are secure enough without nounce and timestamp. Axel -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jim Schaad Sent: Friday, August 17, 2012 9:05 AM To: [email protected] Subject: [jose] POLL: Nonce/Timestamp parameter <CHAIR> If you voted at the face-2-face please do not vote again. If you want to provide comments please change the title from POLL to DISCUSS. Do we need to define a nonce/timestamp parameter in the base specification? Room vote: 6 yes, 0 no, 1 discuss _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
