IETF Logo Mail Archive

Re: [jose] DISCUSS: Nonce/Timestamp parameter

Dick Hardt <dick.hardt@gmail.com> Mon, 27 August 2012 21:55 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5B7021E803A for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 14:55:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.571
X-Spam-Level:
X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQmyTFOzsHuA for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 14:55:08 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 13B3A21E8034 for <jose@ietf.org>; Mon, 27 Aug 2012 14:55:08 -0700 (PDT)
Received: by pbbrr4 with SMTP id rr4so8030012pbb.31 for <jose@ietf.org>; Mon, 27 Aug 2012 14:55:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=3g0WNyEdg/EuqE/3nZglIzcHqIruIGJNBNq5jwsgkmI=; b=XVVwgMybavMh0JxASWLQhUHoEXmQi/dIgRyA4OdwVNB+++3XuQr+nxq6kvvITjrC1S Z6d4QYCJip9I1snIBCmvH1/Rpsx2Aut4t4udoRDocR8o95F1qaMJUH/4NwNG1LSZVBNp foWOdPPIGYKuLxyCYXg+20/oVpMGNGEvqlRKkdcKl1WLWwTAh5T0QluWg8GaRDeXRx6g X0nI6NfP1HDvwjHVE7ixvBn1kGuwz9FQ+gBMQouqLEdf+muZxbsRML9djBTNIHa+yHH1 j49afOhVXTEOi6AN+D8kaVKoK73F9+qH0Ky3U8IhI82K8fqyEOI0J/mJa7z0qd7xYHjV i26g==
Received: by 10.68.190.8 with SMTP id gm8mr202938pbc.74.1346104507810; Mon, 27 Aug 2012 14:55:07 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id qn13sm15481264pbb.71.2012.08.27.14.55.01 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 27 Aug 2012 14:55:03 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_478A0AE9-C074-46FA-880D-35553089D0ED"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF402517E00C107@HE111541.emea1.cds.t-internal.com>
Date: Mon, 27 Aug 2012 14:54:58 -0700
Message-Id: <97A7AE3F-E3AE-4F8A-9A34-8DCD780B3C05@gmail.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517E00B8B5@HE111541.emea1.cds.t-internal.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com> <8777DAED-4ADA-4691-B5CD-0E5CF308BC1C@gmail.com> <CALT9B_Tnz+9=a-NPuUTeSb31fFMi1cJMB-SeM7QJmSh=XrhHTA@mail.gmail.com> <6C5B4E61-C18F-470A-955C-B099A2208788@gmail.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C107@HE111541.emea1.cds.t-internal.com>
To: Axel.Nennker@telekom.de
X-Mailer: Apple Mail (2.1278)
Cc: beaton@google.com, ietf@augustcellars.com, jose@ietf.org, dick.hardt@gmail.com
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 21:55:08 -0000

I was considering "iat" to be the timestamp. I was not thinking there would be an additional timestamp.

On Aug 27, 2012, at 2:13 PM, <Axel.Nennker@telekom.de> wrote:

> We have exp
>                 https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03#section-4.1.1
> and iat
>                 https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03#section-4.1.3
> in JWT. Why do we need a timestamp?
>  
> Replay attacks of the same jwt can be mitigated through the jti claim
> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03#section-4.1.7
>  
> What do timestamp and nonce add to these?
>  
> Axel
>  
>  
>  
> From: Dick Hardt [mailto:dick.hardt@gmail.com] 
> Sent: Monday, August 27, 2012 10:23 PM
> To: Brian Eaton
> Cc: Nennker, Axel; Jim Schaad; jose@ietf.org
> Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
>  
>  
> On Aug 27, 2012, at 1:06 PM, Brian Eaton wrote:
> 
> 
> On Mon, Aug 27, 2012 at 12:11 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> I have an application for JWT that is not OAuth2.
>  
> Should nonce and timestamp logic go in the application level protocol?
>  
> I prefer to NOT have the application level deal with token validity.
> 
> 
>  
> Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully.
>  
> Nonce alone can't be implemented efficiently.  You have to have time stamps as well, otherwise you are stuck storing ever nonce you've ever seen, forever.
>  
> Even nonce + time stamp is challenging in distributed systems.  It adds a lot of complexity.  That complexity is sometimes merited, but not always.
>  
> Thanks for confirming my statement.
>  
> I have stopped using nonce and only use time stamps lately and have made the system relatively stateless so that a second submission of the token is ok. That may not work for everyone, but I have found that architecture to be easier to implement and scale.

v2.43.4 | Report a Bug | By Email | System Status