You didn't answer my question: When I put a JWS with "alg":"none" into bool JOSE::verify(), what do I get?
The consistency you assert is illusory. On Wed, Jul 31, 2013 at 5:24 PM, John Bradley <[email protected]> wrote: > Applications need to define what signature algorithms they accept. In > some cases over some communication channels the signature may not be > required. > > Applications processing JWT like Connect want to process tokens > consistently. Receiving a JWT with a alg of none is fine under some > circumstances. > In general you would restrict the library from accepting it. > > John B. > > On 2013-07-31, at 3:44 PM, Richard Barnes <[email protected]> wrote: > > Ok. That seems like a bug in OpenID Connect. They should be switching the > content type (JWS vs. bare request) or using detached signatures. > > What's the result of JWS verification when "alg" == "none"? It seems like > it has to be either "True" or "False". If you pick "true", there's an easy > attack where you just change the algorithm to "none" and delete the > signature. If you pick "false"... well it seems silly to have a signature > algorithm that never verifies. > > > > > > On Wed, Jul 31, 2013 at 2:48 PM, Mike Jones > <[email protected]>wrote: > >> It’s optional to sign lots of content. For instance, OpenID Connect >> requests can be signed or unsigned, depending upon the security properties >> desired. “alg”:”none” is used for such unsigned requests.**** >> >> ** ** >> >> -- Mike**** >> >> ** ** >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf >> Of *Richard Barnes >> *Sent:* Wednesday, July 31, 2013 5:46 AM >> *To:* [email protected] >> *Subject:* [jose] Signature algorithm "none"**** >> >> ** ** >> >> What's the use case for this? Can we delete it?**** >> > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
