Per the reply in my other note – sometimes it’s fine for parameters encoded in
an unsigned JWS not to be secured, just like it’s fine for HTTP request
parameters to not be secured. Signing the set of request parameters strictly
adds additional value.
In other use cases, the JWS payload is secured by other means, such as TLS.
“alg”: “none” is in production use for both of these kinds of scenarios.
-- Mike
From: Kathleen Moriarty [mailto:[email protected]]
Sent: Thursday, April 17, 2014 10:21 AM
To: Vladimir Dzhuvinov
Cc: [email protected]; Mike Jones;
[email protected]
Subject: Re: [jose] AD review of draft-ietf-jose-json-web-algorithms
Thanks, Vladimir.
How would they be secured then? With the current threat landscape, it seems
odd that we would be putting forth a method that is not secured? Does this
rely on transport for security?
On Thu, Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov
<[email protected]<mailto:[email protected]>> wrote:
Hi Kathleen,
> Section 3.6 - Can you explain why would this be included? If you are not
> going to sign, I am not sure why one would use JOSE at all.
>
Perhaps the most popular application of JWS today is to construct JSON
Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT spec
permits plain tokens that don't have a signature and this is enabled by
the special case "none" alg in JWS.
Plaintext JWTs are explained here:
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6
Vladimir
--
Best regards,
Kathleen
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
