If you really want to have a header, you could also have the unsigned JWT have 2 components (1 dot). That way, you would demux unsigned/signed/encrypted based on number of dots, not "alg".
--Richard On Thu, Aug 1, 2013 at 1:51 PM, Matt Miller (mamille2) <[email protected]>wrote: > If something doesn't have a signature (or MAC, yeah yeah yeah), then I > have a really hard time calling it a JWS (JSON Web Signature), and there > fore have a really hard time seeing "alg":"none" as useful. > > Assuming this is using compact serialization: Why not just send in the > base64url(payload)? Then you can tell if you have an actually signed JWT > (3 dots) versus an unsigned JWT (0 dots). > > > - m&m > > Matt Miller < [email protected] > > Cisco Systems, Inc. > > On Aug 1, 2013, at 1:23 PM, jose issue tracker < > [email protected]> wrote: > > > #36: Algorithm "none" should be removed > > > > > > Comment (by [email protected]): > > > > And sure enough, working groups across the IETF are having to explicitly > > forbid the use of null ciphersuites. They provide empirical evidence > that > > this design pattern is a bad idea. > > > > As I've pointed out before, you can add that verification algorithm, but > > you will not have a good time writing security considerations around it. > > Checking that you support "none" is not enough -- you have to check that > > *nothing* *else* in the header could possibly indicate that a different > > signature algorithm should be used. > > > > So we have something that (1) causes a lot of spec work, (2) causes > > security vulnerabilities under likely implementaiton designs, and (3) has > > no use case, and (4) will haunt us for years to come (how many times do > > you want to write 'MUST NOT use "alg":"none"'?). Sounds like a recipe > for > > success! > > > > -- > > > -------------------------+------------------------------------------------- > > Reporter: | Owner: draft-ietf-jose-json-web- > > [email protected] | [email protected] > > Type: defect | Status: new > > Priority: major | Milestone: > > Component: json-web- | Version: > > signature | Resolution: > > Severity: - | > > Keywords: | > > > -------------------------+------------------------------------------------- > > > > Ticket URL: <http://trac.tools.ietf.org/wg/jose/trac/ticket/36#comment:4 > > > > jose <http://tools.ietf.org/jose/> > > > > _______________________________________________ > > jose mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
