+1
On Fri, Apr 25, 2014 at 7:17 PM, Brian Campbell <[email protected]>wrote: > Plaintext JWSs haven't been free of controversy but the topic has been > discussed many times and the [rough] consensus of the WG is that the "none" > JWS alg is useful. It is in use by the finalized versions of OpenID > Connect, as Vladimir has alluded to. And it has been fairly wildly deployed > in production use. > > The "Plaintext JWS Security Considerations" in section 8.5 of JWA [1] > represents the consensus the WG came to, which keeps the "none" alg but > mandates that implementations "MUST NOT accept such objects as valid unless > the application specifies that it is acceptable for a specific object." > > [1] > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-8.5 > > Vladimir > > On Fri, Apr 25, 2014 at 2:51 PM, Kathleen Moriarty < > [email protected]> wrote: > >> Thanks, Vladimir. >> >> Is there consensus in the WG that this is the right thing to do? I'm >> expecting some push-back on this one and want to make sure it has >> consensus behind it. I have heard of a couple of objections already. >> >> On Thu, Apr 17, 2014 at 2:10 PM, Vladimir Dzhuvinov >> <[email protected]> wrote: >> >> Thanks, Vladimir. >> >> >> >> How would they be secured then? With the current threat landscape, it >> >> seems odd that we would be putting forth a method that is not secured? >> >> Does this rely on transport for security? >> > >> > Yes, securing the JWS message with TLS for instance, as Mike just >> > pointed >> > out in the his response. >> > >> > JWT-encoded ID tokens in OpenID Connect is one such example, but only >> > when >> > the token is returned from the OAuth 2.0 token endpoint where TLS is >> > mandatory, clients can then register to receive plaintext ID tokens: >> > >> > http://openid.net/specs/openid-connect-core-1_0.html#IDToken >> > >> > >> > There is a section in the JWA spec to instruct developers of the various >> > security >> > considerations regarding use of "none" alg JWS: >> > >> > >> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-8.5 >> > >> > >> > Vladimir >> > >> > >> > >> >> On Thu, Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov < >> >> [email protected]> wrote: >> >> >> >> > Hi Kathleen, >> >> > >> >> > >> >> > > Section 3.6 - Can you explain why would this be included? If you >> are >> >> > not going to sign, I am not sure why one would use JOSE at all. >> >> > > >> >> > >> >> > Perhaps the most popular application of JWS today is to construct >> JSON >> >> > Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT >> spec >> >> > permits plain tokens that don't have a signature and this is enabled >> by >> >> > the special case "none" alg in JWS. >> >> > >> >> > Plaintext JWTs are explained here: >> >> > >> >> > >> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6 >> >> > >> >> > >> >> > Vladimir >> >> > >> >> > >> >> >> >> >> >> -- >> >> >> >> Best regards, >> >> Kathleen >> >> >> >> -- >> >> Best regards, >> Kathleen >> >> _______________________________________________ >> jose mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/jose >> > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
