Applications need to define what signature algorithms they accept. In some cases over some communication channels the signature may not be required.
Applications processing JWT like Connect want to process tokens consistently. Receiving a JWT with a alg of none is fine under some circumstances. In general you would restrict the library from accepting it. John B. On 2013-07-31, at 3:44 PM, Richard Barnes <[email protected]> wrote: > Ok. That seems like a bug in OpenID Connect. They should be switching the > content type (JWS vs. bare request) or using detached signatures. > > What's the result of JWS verification when "alg" == "none"? It seems like it > has to be either "True" or "False". If you pick "true", there's an easy > attack where you just change the algorithm to "none" and delete the > signature. If you pick "false"... well it seems silly to have a signature > algorithm that never verifies. > > > > > > On Wed, Jul 31, 2013 at 2:48 PM, Mike Jones <[email protected]> > wrote: > It’s optional to sign lots of content. For instance, OpenID Connect requests > can be signed or unsigned, depending upon the security properties desired. > “alg”:”none” is used for such unsigned requests. > > > > -- Mike > > > > From: [email protected] [mailto:[email protected]] On Behalf Of > Richard Barnes > Sent: Wednesday, July 31, 2013 5:46 AM > To: [email protected] > Subject: [jose] Signature algorithm "none" > > > > What's the use case for this? Can we delete it? > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
