> Thanks, Vladimir. > > How would they be secured then? With the current threat landscape, it > seems odd that we would be putting forth a method that is not secured? > Does this rely on transport for security?
Yes, securing the JWS message with TLS for instance, as Mike just pointed out in the his response. JWT-encoded ID tokens in OpenID Connect is one such example, but only when the token is returned from the OAuth 2.0 token endpoint where TLS is mandatory, clients can then register to receive plaintext ID tokens: http://openid.net/specs/openid-connect-core-1_0.html#IDToken There is a section in the JWA spec to instruct developers of the various security considerations regarding use of "none" alg JWS: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-8.5 Vladimir > On Thu, Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov < > [email protected]> wrote: > > > Hi Kathleen, > > > > > > > Section 3.6 - Can you explain why would this be included? If you are > > not going to sign, I am not sure why one would use JOSE at all. > > > > > > > Perhaps the most popular application of JWS today is to construct JSON > > Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT spec > > permits plain tokens that don't have a signature and this is enabled by > > the special case "none" alg in JWS. > > > > Plaintext JWTs are explained here: > > > > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6 > > > > > > Vladimir > > > > > > > -- > > Best regards, > Kathleen _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
