Re: [jose] #36: Algorithm "none" should be removed

Thu, 01 Aug 2013 04:53:31 -0700 

If something doesn't have a signature (or MAC, yeah yeah yeah), then I have a 
really hard time calling it a JWS (JSON Web Signature), and there fore have a 
really hard time seeing "alg":"none" as useful.

Assuming this is using compact serialization: Why not just send in the 
base64url(payload)?  Then you can tell if you have an actually signed JWT (3 
dots) versus an unsigned JWT (0 dots).


- m&m

Matt Miller < [email protected] >
Cisco Systems, Inc.

On Aug 1, 2013, at 1:23 PM, jose issue tracker <[email protected]> 
wrote:

> #36: Algorithm "none" should be removed
> 
> 
> Comment (by [email protected]):
> 
> And sure enough, working groups across the IETF are having to explicitly
> forbid the use of null ciphersuites.  They provide empirical evidence that
> this design pattern is a bad idea.
> 
> As I've pointed out before, you can add that verification algorithm, but
> you will not have a good time writing security considerations around it.
> Checking that you support "none" is not enough -- you have to check that
> *nothing* *else* in the header could possibly indicate that a different
> signature algorithm should be used.
> 
> So we have something that (1) causes a lot of spec work, (2) causes
> security vulnerabilities under likely implementaiton designs, and (3) has
> no use case, and (4) will haunt us for years to come (how many times do
> you want to write 'MUST NOT use "alg":"none"'?).  Sounds like a recipe for
> success!
> 
> -- 
> -------------------------+-------------------------------------------------
> Reporter:               |       Owner:  draft-ietf-jose-json-web-
>  [email protected] |  [email protected]
>     Type:  defect       |      Status:  new
> Priority:  major        |   Milestone:
> Component:  json-web-    |     Version:
>  signature              |  Resolution:
> Severity:  -            |
> Keywords:               |
> -------------------------+-------------------------------------------------
> 
> Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/36#comment:4>
> jose <http://tools.ietf.org/jose/>
> 
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to