I agree that jwt is useful without oauth2. Still we already have exp, iat, jti in jwt. What protection do nonce/timestamp bring to jwt users?
I think the poll about this question should be reconsidered because the question is unclear and nonce/timestamp have no supporting use case beyond exp, iat, jti. Axel From: Stephen Kent [mailto:[email protected]] Sent: Tuesday, August 28, 2012 6:20 AM To: [email protected]; Nennker, Axel Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter Axel, I did not vote on this issue, but I am concerned by what appears to be the basis for your position. Specifically, you say: Maybe there is some justification for nonce in jwt but if jwt is used with oauth2 then we already have state. JOSE's cope is not just oauth2, so it seems inappropriate to argue that a feature is not needed based on just that app. Steve
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
