Just so people have a point of comparison, my proposed "JSON Web Payload" definition is in the patch attached to ISSUE-36: <http://trac.tools.ietf.org/wg/jose/trac/attachment/ticket/36/ALG-NONE.patch >
I agree with James and Vladimir that a separate object type is easier to get right than all of the security checks that "none" requires. --Richard On Tue, Sep 3, 2013 at 2:02 PM, Mike Jones <[email protected]>wrote: > I took an action item during the last call to write text along the lines > suggested by ekr about applications and "alg":"none". I propose that the > following text be included:**** > > ** ** > > It is RECOMMENDED that libraries provide applications a means of > specifying the list of acceptable algorithms used in a JWS object in a way > that causes inputs using algorithms outside the specified set to be > rejected. In particular, it is intended for applications to use this > mechanism to exclude accepting inputs using "alg":"none" in security > contexts where non-integrity protected inputs are not acceptable.**** > > ** ** > > Feedback/proposed wording refinements welcomed.**** > > ** ** > > -- Mike*** > * > > ** ** > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
