On 08/25/2012 03:37 AM, Axel Nennker wrote:
To clarify: What is the base specification that Jim mentioned?
Is it: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ?
Would somebody please present a use-case for either nonce or timestamp?
If a jwt is used with oauth2 then what is the difference between nonce
and state? Nonce would be signed while state is not?
Nonce would generally be generated by the entity creating the token.
State in OAuth is generated by the client, and would only be protected
if the client had a means to make a signed request to the server, using
either a MAC binding or a JWT-based OIDC-style RequestObject.
-- Justin
I guess I am missing some information that those in the room who voted
"yes" had?
Axel
2012/8/25 Mike Jones <[email protected]
<mailto:[email protected]>>
I'll note for discussion purposes that a nonce and a timestamp are
not the same thing (although sometimes they are used to achieve
similar/related goals). A nonce tends to be an opaque value that
must be preserved across the communication. Whereas a timestamp
typically has defined semantics - sometimes simply a
non-decreasing integer value - and sometimes a representation of
time, and then, sometimes with a uniqueness requirement.
For discussion purposes, I'll say that the simplest thing for us
to do (should we decide to do anything in this regard) would be to
define the nonce as an opaque string value that must be preserved.
We could also define a timestamp parameter, but as I wrote above,
that would likely require us to specify additional semantics -
starting with whether it's a non-decreasing integer or a
representation of a time value. This seems much harder to define
and possibly to use than a nonce.
Would it make sense to define a nonce parameter now and hold off
on defining a timestamp parameter until there's a clear
demonstrated use case for which a nonce is not sufficient? That
would be my personal recommendation.
Best wishes,
-- Mike
-----Original Message-----
From: [email protected] <mailto:[email protected]>
[mailto:[email protected] <mailto:[email protected]>] On
Behalf Of Jim Schaad
Sent: Friday, August 17, 2012 12:05 AM
To: [email protected] <mailto:[email protected]>
Subject: [jose] POLL: Nonce/Timestamp parameter
<CHAIR>
If you voted at the face-2-face please do not vote again. If you
want to provide comments please change the title from POLL to DISCUSS.
Do we need to define a nonce/timestamp parameter in the base
specification?
Room vote: 6 yes, 0 no, 1 discuss
_______________________________________________
jose mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
