This warning is already in place in
https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2. It
says:
Finally, note that it is an application decision which algorithms may
be used in a given context. Even if a JWT can be successfully
validated, unless the algorithm(s) used in the JWT are acceptable to
the application, it SHOULD reject the JWT.
-- Mike
-----Original Message-----
From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig
Sent: Thursday, April 02, 2015 11:28 AM
To: Tim McLean
Cc: [email protected]; [email protected]
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
[[adding [email protected]]]
On 04/02/2015 08:01 PM, Tim McLean wrote:
> However, I do think one way of gauging the success of JWS/JOSE is to
> measure how many implementers actually get the security details right.
I agree with you.
If several people got this wrong then it is a good idea to write about it. Of
course, it was a bit difficult to foresee this issue at the time of writing the
specification.
At a minimum we should put a version of your article at oauth.net.
Since the JWT spec (which you reference in your article) is still in
Auth48 state we can still add a warning remark to Section 7.2 of
https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32.
Ciao
Hannes
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
