+1 On Apr 25, 2014, at 7:17 PM, Brian Campbell <[email protected]> wrote:
> Plaintext JWSs haven't been free of controversy but the topic has been > discussed many times and the [rough] consensus of the WG is that the "none" > JWS alg is useful. It is in use by the finalized versions of OpenID Connect, > as Vladimir has alluded to. And it has been fairly wildly deployed in > production use. > > The "Plaintext JWS Security Considerations" in section 8.5 of JWA [1] > represents the consensus the WG came to, which keeps the "none" alg but > mandates that implementations "MUST NOT accept such objects as valid unless > the application specifies that it is acceptable for a specific object." > > [1] > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-8.5 > > Vladimir > On Fri, Apr 25, 2014 at 2:51 PM, Kathleen Moriarty > <[email protected]> wrote: > Thanks, Vladimir. > > Is there consensus in the WG that this is the right thing to do? I'm > expecting some push-back on this one and want to make sure it has > consensus behind it. I have heard of a couple of objections already. > > On Thu, Apr 17, 2014 at 2:10 PM, Vladimir Dzhuvinov > <[email protected]> wrote: > >> Thanks, Vladimir. > >> > >> How would they be secured then? With the current threat landscape, it > >> seems odd that we would be putting forth a method that is not secured? > >> Does this rely on transport for security? > > > > Yes, securing the JWS message with TLS for instance, as Mike just > > pointed > > out in the his response. > > > > JWT-encoded ID tokens in OpenID Connect is one such example, but only > > when > > the token is returned from the OAuth 2.0 token endpoint where TLS is > > mandatory, clients can then register to receive plaintext ID tokens: > > > > http://openid.net/specs/openid-connect-core-1_0.html#IDToken > > > > > > There is a section in the JWA spec to instruct developers of the various > > security > > considerations regarding use of "none" alg JWS: > > > > http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-8.5 > > > > > > Vladimir > > > > > > > >> On Thu, Apr 17, 2014 at 12:57 PM, Vladimir Dzhuvinov < > >> [email protected]> wrote: > >> > >> > Hi Kathleen, > >> > > >> > > >> > > Section 3.6 - Can you explain why would this be included? If you are > >> > not going to sign, I am not sure why one would use JOSE at all. > >> > > > >> > > >> > Perhaps the most popular application of JWS today is to construct JSON > >> > Web Tokens (JWT), such as the ID tokens in OpenID Connect. The JWT spec > >> > permits plain tokens that don't have a signature and this is enabled by > >> > the special case "none" alg in JWS. > >> > > >> > Plaintext JWTs are explained here: > >> > > >> > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-6 > >> > > >> > > >> > Vladimir > >> > > >> > > >> > >> > >> -- > >> > >> Best regards, > >> Kathleen > > > > -- > > Best regards, > Kathleen > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
