On Tue, Sep 16, 2014 at 7:48 AM, Stephen Kent <[email protected]> wrote: Thanks for the clarifying comments. I am still a bit puzzled, though. I > thought JWK was > a proposal to establish JSON formats for key transport. Are you saying > that the formats we are > about to standardize have been in use in JSON for a while and that's why > parsers are not > prepared to reject dupe keys? Or is this a lower layer, JS issue re > partsing? >
I’m not clear on the history, but I have heard that dupe keys are sometimes generated by software that’s producing output on a streaming basis, that can’t afford to keep track of every key it’s already generated. It is also my impression that for essentially all software that receives and parses JSON, dupe keys are useless and perhaps damaging, since JSON objects are invariably stuffed into hash-table-flavored things that don’t support dupe keys. It’s just that in the JOSE context, there is (justified) concern that there are attack vectors based on the use of dupe keys. Everyone agrees (I think) that it would be desirable for such messages to be rejected. It’s just that current production software doesn’t make this easy. > > Steve > -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
