On Fri, May 12, 2017 at 05:03:51PM +0100, Sergey Beryozkin wrote: > Thanks for the initial feedback. I'm not following at the moment how any of > these attacks can affect it. Perhaps I'll need to work on making it more > obvious how it is all implemented.
Well, from the description I gathered that (partial) output is passed to application before the signature is verified. This is bad. But perhaps the description is just a bit misleading, and all input is buffered until signature is verified, and only then is the signed content sent to the application. JWS has an issue where signatures and MACs can be confused, leading to signature forgery if JWS implementation is not careful. JWE when used with ECDH-ES with NIST curves has an issue that compromises the private decryption key if JWE implementation is not careful. -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
