On Aug 19, 2013, at 2:17 PM, Richard Barnes <[email protected]> wrote: > On Mon, Aug 19, 2013 at 3:48 PM, John Bradley <[email protected]> wrote: > >> In OAuth and Connect there are cases where you are receiving tokens from >> multiple sources. By allowing none as a alg option we can process signed >> or unsigned tokens with the same basic handler by inspecting the first >> segment. I note currently that while none has three segments the last >> segment must be empty. I think that is sufficient to keep people from >> becoming confused. >> >> Making it two segments will break existing parsers for no good reason. >> > > No, there's a very good reason. Something that is not signed should not be > accepted as a JSON Web Signature object. Acceptance of a JWS implies that > the payload and protected headers were integrity protected from the signer; > that is not true for "alg":"none". > > Also, it's not clear that this change will break existing parsers. For > example, the NimbusDS parser would successfully parse a two-segment object > as a "plain JWT" > < > https://bitbucket.org/nimbusds/nimbus-jose-jwt/src/ca58ff0ece35243aa6546583dffcd236dcea26d2/src/main/java/com/nimbusds/jwt/JWTParser.java?at=master >> > > > What we call it I am flexible about, if it is a unsigned JOSE object in >> compact serialization i am fine. >> > > I would also be completely fine with an unsigned "header + content" > structure (though I don't think it adds any value). But it must be > recognizably different from JWS. > > --Richard, who is honestly kind of floored that there's all this argument > over a single "." character
I completely agree with Richard. - m&m Matt Miller < [email protected] > Cisco Systems, Inc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
