hi Mike, while I am the original author of one of the mentioned article in the blog post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html) I do not share entirely the criticism. Said that, I must really admit that some of the cryptographic choices made specially in JWE are really questionable.
regards antonio On Mar 15, 2017, at 8:50 PM, Mike Jones <[email protected]> wrote: > The bulk of this seems to be about applications that don't verify that the > crypto algorithms that were used in a JWT are acceptable in the application > context. While I know that some people would like crypto to be magic pixie > dust that you can sprinkle on an application to get crypto goodness, it will > never be that simple. Crypto algorithms that are thought to be good today > will be deprecated later. Apps that keep allowing them to be used will be > vulnerable. The JOSE specs requiring that applications be aware of the > algorithms used is a good and necessary thing for long-term security - not a > problem with the specs. > > That said, of course some implementers will get things wrong. To the extent > that we can help them understand what they actually need to do to use the > specifications securely, we obviously should. Perhaps we should write an > article for oauth.net talking about some of these issues? Maybe a few of us > can get together in Chicago and work on that. > > I'm looking forward to seeing many of you in 1.5 weeks! > > -- Mike > > -----Original Message----- > From: OAuth [mailto:[email protected]] On Behalf Of Sergey Beryozkin > Sent: Wednesday, March 15, 2017 8:46 AM > To: [email protected] > Subject: Re: [OAUTH-WG] More Criticism of JOSE > > and everyone should now start using the most secure alternative proposed in > that very light in analysis article :-) > > Sergey > On 15/03/17 15:43, Mike Schwartz wrote: >> Sorry to be the bearer of bad news, but here's a negative review of JOSE: >> >> JOSE (Javascript Object Signing and Encryption) is a Bad Standard That >> Everyone Should Avoid >> >> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard >> -that-everyone-should-avoid >> >> >> - Mike >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
