Thanks, Vladimir. Is there consensus in the WG that this is the right thing to do? I'm expecting some push-back on this one and want to make sure it has consensus behind it. I have heard of a couple of objections already.
On Thu, Apr 17, 2014 at 2:10 PM, Vladimir Dzhuvinov <[email protected]> wrote: >> Thanks, Vladimir. >> >> How would they be secured then? With the current threat landscape, it >> seems odd that we would be putting forth a method that is not secured? >> Does this rely on transport for security? > > Yes, securing the JWS message with TLS for instance, as Mike just > pointed > out in the his response. > > JWT-encoded ID tokens in OpenID Connect is one such example, but only > when > the token is returned from the OAuth 2.0 token endpoint where TLS is > mandatory, clients can then register to receive plaintext ID tokens: > > http://openid.net/specs/openid-connect-core-1_0.html#IDToken > > > There is a section in the JWA spec to instruct developers of the various > security > considerations regarding use of "none" alg JWS: > > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-8.5 > > > Vladimir > > > >> On Thu, Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov < >> [email protected]> wrote: >> >> > Hi Kathleen, >> > >> > >> > > Section 3.6 - Can you explain why would this be included? If you are >> > not going to sign, I am not sure why one would use JOSE at all. >> > > >> > >> > Perhaps the most popular application of JWS today is to construct JSON >> > Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT spec >> > permits plain tokens that don't have a signature and this is enabled by >> > the special case "none" alg in JWS. >> > >> > Plaintext JWTs are explained here: >> > >> > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6 >> > >> > >> > Vladimir >> > >> > >> >> >> -- >> >> Best regards, >> Kathleen -- Best regards, Kathleen _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
