BTW, I added support for JWP to PyJOSE. It was easier than adding support for "none". < https://github.com/bifurcation/pyjose/commit/5ad79d842beb6b680be6ba14263a9b85c29fde65 >
On Wed, Sep 4, 2013 at 6:49 PM, Richard Barnes <[email protected]> wrote: > Just so people have a point of comparison, my proposed "JSON Web Payload" > definition is in the patch attached to ISSUE-36: > < > http://trac.tools.ietf.org/wg/jose/trac/attachment/ticket/36/ALG-NONE.patch > > > > I agree with James and Vladimir that a separate object type is easier to > get right than all of the security checks that "none" requires. > > --Richard > > > On Tue, Sep 3, 2013 at 2:02 PM, Mike Jones <[email protected]>wrote: > >> I took an action item during the last call to write text along the >> lines suggested by ekr about applications and "alg":"none". I propose that >> the following text be included:**** >> >> ** ** >> >> It is RECOMMENDED that libraries provide applications a means of >> specifying the list of acceptable algorithms used in a JWS object in a way >> that causes inputs using algorithms outside the specified set to be >> rejected. In particular, it is intended for applications to use this >> mechanism to exclude accepting inputs using "alg":"none" in security >> contexts where non-integrity protected inputs are not acceptable.**** >> >> ** ** >> >> Feedback/proposed wording refinements welcomed.**** >> >> ** ** >> >> -- Mike** >> ** >> >> ** ** >> >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose >> >> >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
