Re: [jose] Text about applications and "alg":"none"

Wed, 04 Sep 2013 16:05:08 -0700 

No.  jose.verify(JWP) will always fail.  So there's no downgrade risk.


On Wed, Sep 4, 2013 at 6:55 PM, Mike Jones <[email protected]>wrote:

>  Exactly the same security checks are required at the library level no
> matter what the protocol representation, assuming that the library supports
> all JOSE object types.  An object using your JWP is acceptable in exactly
> the same situations that an “alg”:”none” JWS is, as there’s no security
> difference between them – only a protocol syntax difference.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* Richard Barnes [mailto:[email protected]]
> *Sent:* Wednesday, September 04, 2013 3:51 PM
>
> *To:* Mike Jones
> *Cc:* [email protected]
> *Subject:* Re: [jose] Text about applications and "alg":"none"****
>
> ** **
>
> BTW, I added support for JWP to PyJOSE.  It was easier than adding support
> for "none".****
>
> <
> https://github.com/bifurcation/pyjose/commit/5ad79d842beb6b680be6ba14263a9b85c29fde65
> >****
>
> ** **
>
> On Wed, Sep 4, 2013 at 6:49 PM, Richard Barnes <[email protected]> wrote:****
>
> Just so people have a point of comparison, my proposed "JSON Web Payload"
> definition is in the patch attached to ISSUE-36:****
>
> <
> http://trac.tools.ietf.org/wg/jose/trac/attachment/ticket/36/ALG-NONE.patch
> >****
>
> ** **
>
> I agree with James and Vladimir that a separate object type is easier to
> get right than all of the security checks that "none" requires.****
>
> ** **
>
> --Richard****
>
> ** **
>
> On Tue, Sep 3, 2013 at 2:02 PM, Mike Jones <[email protected]>
> wrote:****
>
>   I took an action item during the last call to write text along the
> lines suggested by ekr about applications and "alg":"none".  I propose that
> the following text be included:****
>
>  ****
>
> It is RECOMMENDED that libraries provide applications a means of
> specifying the list of acceptable algorithms used in a JWS object in a way
> that causes inputs using algorithms outside the specified set to be
> rejected.  In particular, it is intended for applications to use this
> mechanism to exclude accepting inputs using "alg":"none" in security
> contexts where non-integrity protected inputs are not acceptable.****
>
>  ****
>
> Feedback/proposed wording refinements welcomed.****
>
>  ****
>
>                                                                 -- Mike***
> *
>
>  ****
>
> ** **
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose****
>
>  ** **
>
> ** **
>

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to