Re: [jose] Text about applications and "alg":"none"

Wed, 04 Sep 2013 15:56:56 -0700 

Exactly the same security checks are required at the library level no matter 
what the protocol representation, assuming that the library supports all JOSE 
object types.  An object using your JWP is acceptable in exactly the same 
situations that an "alg":"none" JWS is, as there's no security difference 
between them - only a protocol syntax difference.

                                                                -- Mike

From: Richard Barnes [mailto:[email protected]]
Sent: Wednesday, September 04, 2013 3:51 PM
To: Mike Jones
Cc: [email protected]
Subject: Re: [jose] Text about applications and "alg":"none"

BTW, I added support for JWP to PyJOSE.  It was easier than adding support for 
"none".
<https://github.com/bifurcation/pyjose/commit/5ad79d842beb6b680be6ba14263a9b85c29fde65>

On Wed, Sep 4, 2013 at 6:49 PM, Richard Barnes 
<[email protected]<mailto:[email protected]>> wrote:
Just so people have a point of comparison, my proposed "JSON Web Payload" 
definition is in the patch attached to ISSUE-36:
<http://trac.tools.ietf.org/wg/jose/trac/attachment/ticket/36/ALG-NONE.patch>

I agree with James and Vladimir that a separate object type is easier to get 
right than all of the security checks that "none" requires.

--Richard

On Tue, Sep 3, 2013 at 2:02 PM, Mike Jones 
<[email protected]<mailto:[email protected]>> wrote:
I took an action item during the last call to write text along the lines 
suggested by ekr about applications and "alg":"none".  I propose that the 
following text be included:

It is RECOMMENDED that libraries provide applications a means of specifying the 
list of acceptable algorithms used in a JWS object in a way that causes inputs 
using algorithms outside the specified set to be rejected.  In particular, it 
is intended for applications to use this mechanism to exclude accepting inputs 
using "alg":"none" in security contexts where non-integrity protected inputs 
are not acceptable.

Feedback/proposed wording refinements welcomed.

                                                                -- Mike


_______________________________________________
jose mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/jose



_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to