The JOSE specifications aren't a security protocol - they are just
building blocks and primitives meant to be used by a security protocol.
XML-DSIG and XML-ENC from the last decade are similar constructions but
meant for XML (and with some resulting complexities).
These frameworks meant to be used in the context of a protocol - OpenID
Connect comes to mind - in which trust relationships and processing
rules describe how JOSE can be used to achieve, for example, message
authentication.
I take your point that people are using JOSE and signing/encryting bits
of stuff and pushing it around the internet without the benefit of a
higher-level protocol. And, yes, they are open to attacks and no doubt
misusing/misinterpreting the results.
On Thu, Apr 2, 2015 at 12:06 PM, Prateek Mishra
<[email protected] <mailto:[email protected]>> wrote:
This sounds like a basic misunderstanding about the role of a
"security toolkit" vs. an end-to-end protocol that uses a toolkit
(e.g., SAML or openID Connect).
For example, all of the crypto primitives available in java
(jca/jce) could also be "misused" in these ways, so I am not sure
this analysis is very helpful.
I'm not sure what you mean here. This isn't a case of implementers
misusing primitives -- this is a case of attackers forcing misuse of
primitives. Maybe you can clarify?
Tim
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
