To clarify: What is the base specification that Jim mentioned? Is it: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ?
Would somebody please present a use-case for either nonce or timestamp? If a jwt is used with oauth2 then what is the difference between nonce and state? Nonce would be signed while state is not? I guess I am missing some information that those in the room who voted "yes" had? Axel 2012/8/25 Mike Jones <[email protected]> > I'll note for discussion purposes that a nonce and a timestamp are not the > same thing (although sometimes they are used to achieve similar/related > goals). A nonce tends to be an opaque value that must be preserved across > the communication. Whereas a timestamp typically has defined semantics - > sometimes simply a non-decreasing integer value - and sometimes a > representation of time, and then, sometimes with a uniqueness requirement. > > For discussion purposes, I'll say that the simplest thing for us to do > (should we decide to do anything in this regard) would be to define the > nonce as an opaque string value that must be preserved. > > We could also define a timestamp parameter, but as I wrote above, that > would likely require us to specify additional semantics - starting with > whether it's a non-decreasing integer or a representation of a time value. > This seems much harder to define and possibly to use than a nonce. > > Would it make sense to define a nonce parameter now and hold off on > defining a timestamp parameter until there's a clear demonstrated use case > for which a nonce is not sufficient? That would be my personal > recommendation. > > Best wishes, > -- Mike > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Jim Schaad > Sent: Friday, August 17, 2012 12:05 AM > To: [email protected] > Subject: [jose] POLL: Nonce/Timestamp parameter > > <CHAIR> > > If you voted at the face-2-face please do not vote again. If you want to > provide comments please change the title from POLL to DISCUSS. > > Do we need to define a nonce/timestamp parameter in the base specification? > > > > Room vote: 6 yes, 0 no, 1 discuss > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
