Re: [jose] Signature algorithm "none"

Wed, 31 Jul 2013 17:34:23 -0700 

If the function received shared/public key, then it should raise an error for 
alg=none case.
If no keys are given, it should raise an error for alg=anything-not-none case.

That's my json-jwt rubygem behaviour.

nov

On Aug 1, 2013, at 1:40 AM, Richard Barnes <[email protected]> wrote:

> You didn't answer my question: When I put a JWS with "alg":"none" into bool 
> JOSE::verify(), what do I get?
> 
> The consistency you assert is illusory.
> 
> 
> On Wed, Jul 31, 2013 at 5:24 PM, John Bradley <[email protected]> wrote:
>> Applications need to define what signature algorithms they accept.   In some 
>> cases over some communication channels the signature may not be required.
>> 
>> Applications processing JWT like Connect want to process tokens 
>> consistently.  Receiving a JWT with a alg of none is fine under some 
>> circumstances.  
>> In general you would restrict the library from accepting it.  
>> 
>> John B.
>> 
>> On 2013-07-31, at 3:44 PM, Richard Barnes <[email protected]> wrote:
>> 
>>> Ok. That seems like a bug in OpenID Connect.  They should be switching the 
>>> content type (JWS vs. bare request) or using detached signatures.
>>> 
>>> What's the result of JWS verification when "alg" == "none"?  It seems like 
>>> it has to be either "True" or "False".  If you pick "true", there's an easy 
>>> attack where you just change the algorithm to "none" and delete the 
>>> signature.  If you pick "false"... well it seems silly to have a signature 
>>> algorithm that never verifies.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Wed, Jul 31, 2013 at 2:48 PM, Mike Jones <[email protected]> 
>>> wrote:
>>>> It’s optional to sign lots of content.  For instance, OpenID Connect 
>>>> requests can be signed or unsigned, depending upon the security properties 
>>>> desired.  “alg”:”none” is used for such unsigned requests.
>>>> 
>>>>  
>>>> 
>>>>                                                             -- Mike
>>>> 
>>>>  
>>>> 
>>>> From: [email protected] [mailto:[email protected]] On Behalf Of 
>>>> Richard Barnes
>>>> Sent: Wednesday, July 31, 2013 5:46 AM
>>>> To: [email protected]
>>>> Subject: [jose] Signature algorithm "none"
>>>> 
>>>>  
>>>> 
>>>> What's the use case for this?  Can we delete it?
>>>> 
>>> 
>>> _______________________________________________
>>> jose mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/jose
> 
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to