Thanks for the reply Orie. I'm the primary author of JJWT: https://github.com/jwtk/jjwt, so my question is grounded in general-purpose library support and not protocol design/support.
If you are building a library that has to support all / older protocols... > I recommend taking an approach that clearly distinguishes decoding from > verifying. > I (very respectfully) disagree. Even just parsing untrusted payloads before cryptographic verification - before a library even has a chance to evaluate name/value pairs of a fully constructed JSON Object - can expose an application to security vulnerabilities. Otherwise, yes, I'd agree that once JSON is (safely) converted to Object instances, verification and validation are separate concerns. My question for the JOSE committee is whether payload parsing is even allowed before signature verification. And if it is, are there explicitly documented caveats? (e.g. with RFC 2119 Notational Convention terminology, SHOULD, SHOULD NOT, etc)? Or is it more "it's not explicitly prevented, and you should avoid it if possible, but feel free to support it if you want" ? Thanks again! Les
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
