M&M [email protected] schrieb:
>Send OAuth mailing list submissions to > [email protected] > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth >or, via email, send a message with subject or body 'help' to > [email protected] > >You can reach the person managing the list at > [email protected] > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of OAuth digest..." > > >Today's Topics: > > 1. Re: [jose] Security research on JWT implementations > (Hannes Tschofenig) > 2. Re: [jose] Security research on JWT implementations (Mike Jones) > 3. Re: [jose] Security research on JWT implementations > (Aaron Parecki) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Thu, 02 Apr 2015 20:28:12 +0200 >From: Hannes Tschofenig <[email protected]> >To: Tim McLean <[email protected]> >Cc: "[email protected]" <[email protected]>, [email protected] >Subject: Re: [OAUTH-WG] [jose] Security research on JWT > implementations >Message-ID: <[email protected]> >Content-Type: text/plain; charset="windows-1252" > >[[adding [email protected]]] > >On 04/02/2015 08:01 PM, Tim McLean wrote: >> However, I do think one way of gauging the success of JWS/JOSE is to >> measure how many implementers actually get the security details right. > >I agree with you. > >If several people got this wrong then it is a good idea to write about >it. Of course, it was a bit difficult to foresee this issue at the time >of writing the specification. > >At a minimum we should put a version of your article at oauth.net. > >Since the JWT spec (which you reference in your article) is still in >Auth48 state we can still add a warning remark to Section 7.2 of >https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. > >Ciao >Hannes > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: signature.asc >Type: application/pgp-signature >Size: 513 bytes >Desc: OpenPGP digital signature >URL: ><http://www.ietf.org/mail-archive/web/oauth/attachments/20150402/0f862401/attachment.asc> > >------------------------------ > >Message: 2 >Date: Thu, 2 Apr 2015 18:42:43 +0000 >From: Mike Jones <[email protected]> >To: Hannes Tschofenig <[email protected]>, Tim McLean > <[email protected]> >Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> >Subject: Re: [OAUTH-WG] [jose] Security research on JWT > implementations >Message-ID: > > <by2pr03mb442d97471309da16c70c80cf5...@by2pr03mb442.namprd03.prod.outlook.com> > >Content-Type: text/plain; charset="us-ascii" > >This warning is already in place in >https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2. >It says: > > Finally, note that it is an application decision which algorithms may > be used in a given context. Even if a JWT can be successfully > validated, unless the algorithm(s) used in the JWT are acceptable to > the application, it SHOULD reject the JWT. > > -- Mike > >-----Original Message----- >From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig >Sent: Thursday, April 02, 2015 11:28 AM >To: Tim McLean >Cc: [email protected]; [email protected] >Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations > >[[adding [email protected]]] > >On 04/02/2015 08:01 PM, Tim McLean wrote: >> However, I do think one way of gauging the success of JWS/JOSE is to >> measure how many implementers actually get the security details right. > >I agree with you. > >If several people got this wrong then it is a good idea to write about it. Of >course, it was a bit difficult to foresee this issue at the time of writing >the specification. > >At a minimum we should put a version of your article at oauth.net. > >Since the JWT spec (which you reference in your article) is still in >Auth48 state we can still add a warning remark to Section 7.2 of >https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. > >Ciao >Hannes > > > >------------------------------ > >Message: 3 >Date: Thu, 02 Apr 2015 18:53:10 +0000 >From: Aaron Parecki <[email protected]> >To: Mike Jones <[email protected]>, Hannes Tschofenig > <[email protected]>, Tim McLean <[email protected]> >Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> >Subject: Re: [OAUTH-WG] [jose] Security research on JWT > implementations >Message-ID: > <cagbsgjrcrczgylparfrnsog-g4kncue1duodmu6brygnlr0...@mail.gmail.com> >Content-Type: text/plain; charset="utf-8" > >I'm not sure what article you're referring to, but feel free to add the >article and send a pull request to oauth.net: > >https://github.com/aaronpk/oauth.net > >Here's an example of the PR for the Authentication article that Justin >added: https://github.com/aaronpk/oauth.net/pull/81 > >Aaron Parecki > > > > >On Thu, Apr 2, 2015 at 1:43 PM Mike Jones <[email protected]> >wrote: > >> This warning is already in place in https://tools.ietf.org/html/ >> draft-ietf-oauth-json-web-token-32#section-7.2. It says: >> >> Finally, note that it is an application decision which algorithms may >> be used in a given context. Even if a JWT can be successfully >> validated, unless the algorithm(s) used in the JWT are acceptable to >> the application, it SHOULD reject the JWT. >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig >> Sent: Thursday, April 02, 2015 11:28 AM >> To: Tim McLean >> Cc: [email protected]; [email protected] >> Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations >> >> [[adding [email protected]]] >> >> On 04/02/2015 08:01 PM, Tim McLean wrote: >> > However, I do think one way of gauging the success of JWS/JOSE is to >> > measure how many implementers actually get the security details right. >> >> I agree with you. >> >> If several people got this wrong then it is a good idea to write about it. >> Of course, it was a bit difficult to foresee this issue at the time of >> writing the specification. >> >> At a minimum we should put a version of your article at oauth.net. >> >> Since the JWT spec (which you reference in your article) is still in >> Auth48 state we can still add a warning remark to Section 7.2 of >> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: ><http://www.ietf.org/mail-archive/web/oauth/attachments/20150402/095ea94a/attachment.html> > >------------------------------ > >Subject: Digest Footer > >_______________________________________________ >OAuth mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/oauth > > >------------------------------ > >End of OAuth Digest, Vol 78, Issue 1 >************************************ _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
