Is it the consensus of the JOSE RFC committee that parsing a JWS payload before it is trusted is acceptable?
Repeating the values in the header is certainly a viable solution, but that doesn't address what to do if the JWS issuer does not do that. I ask because, while I appreciate your suggestion, it doesn't address _why_ parsing any payload before it is verified is acceptable from a security standpoint and should be supported by JWS libraries. Is it a concession the RFC committee has discussed? Remember, a JWS payload can be anything at all - not just JSON, and even if JSON, not necessarily Claims. Parsing any stream of bytes well before they become a Map<String,Object> could potentially enable remote code execution attacks or other problems. And even if the payload is Claims JSON, payloads are often significantly larger than headers, so they're not the same from a risk perspective. >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
