hi Mike On Mar 15, 2017, at 10:06 PM, Mike Jones <[email protected]> wrote:
> Will you be in Chicago, Antonio? If so, maybe you can sit down with us and > work on advice to implementers. Unluckily not. FWIW I will be at https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/. And I’d be glad to sit down with you and try to help if you are around…. regards antonio > > Cheers, > -- Mike > > -----Original Message----- > From: Antonio Sanso [mailto:[email protected]] > Sent: Wednesday, March 15, 2017 1:40 PM > To: Mike Jones <[email protected]> > Cc: Sergey Beryozkin <[email protected]>; [email protected] > Subject: Re: [OAUTH-WG] More Criticism of JOSE > > hi Mike, > > while I am the original author of one of the mentioned article in the blog > post > (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html) > I do not share entirely the criticism. > Said that, I must really admit that some of the cryptographic choices made > specially in JWE are really questionable. > > regards > > antonio > > On Mar 15, 2017, at 8:50 PM, Mike Jones <[email protected]> wrote: > >> The bulk of this seems to be about applications that don't verify that the >> crypto algorithms that were used in a JWT are acceptable in the application >> context. While I know that some people would like crypto to be magic pixie >> dust that you can sprinkle on an application to get crypto goodness, it will >> never be that simple. Crypto algorithms that are thought to be good today >> will be deprecated later. Apps that keep allowing them to be used will be >> vulnerable. The JOSE specs requiring that applications be aware of the >> algorithms used is a good and necessary thing for long-term security - not a >> problem with the specs. >> >> That said, of course some implementers will get things wrong. To the extent >> that we can help them understand what they actually need to do to use the >> specifications securely, we obviously should. Perhaps we should write an >> article for oauth.net talking about some of these issues? Maybe a few of us >> can get together in Chicago and work on that. >> >> I'm looking forward to seeing many of you in 1.5 weeks! >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:[email protected]] On Behalf Of Sergey >> Beryozkin >> Sent: Wednesday, March 15, 2017 8:46 AM >> To: [email protected] >> Subject: Re: [OAUTH-WG] More Criticism of JOSE >> >> and everyone should now start using the most secure alternative >> proposed in that very light in analysis article :-) >> >> Sergey >> On 15/03/17 15:43, Mike Schwartz wrote: >>> Sorry to be the bearer of bad news, but here's a negative review of JOSE: >>> >>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard >>> That Everyone Should Avoid >>> >>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar >>> d >>> -that-everyone-should-avoid >>> >>> >>> - Mike >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
