Re: [jose] Towards a More Secure JOSE Standard
Paragon Initiative Enterprises Security Team <security@paragonie.com> Fri, 31 March 2017 15:49 UTC
Return-Path: <scott@paragonie.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 642E2124281 for <jose@ietfa.amsl.com>; Fri, 31 Mar 2017 08:49:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AByG883Vq_PB for <jose@ietfa.amsl.com>; Fri, 31 Mar 2017 08:49:12 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32EAB1294DF for <jose@ietf.org>; Fri, 31 Mar 2017 08:49:12 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id o67so65044649oib.1 for <jose@ietf.org>; Fri, 31 Mar 2017 08:49:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JZ/Njz8rMxiJlpSZ3jjfgJhyBXVYIoCh6sL45YYTOYA=; b=nfDl6ROoOOFCfo3v3DHOHWjULHbLtCZ/DY/6VpdRgUu/e46pYWiOGZ7gCzzLPH7nHF QUhGJU23TFF1sm42k39FKQPY+ynEwzEGi0Q1OC4WxOf4amS6bCB1ORkXVLxTYlM7w8+6 OoeLcV2qPzF6Aubd3ZZW5Edo5F2BpXbAhgc+/I3lPfpd8MixBxoQfbKGTd6M/QiyqXPg xfxCWYeobbIpk7VLvbD4C3cHqkZokdUypRJZbXNe7D/cquV1iDMVsNzQfTDhM7kmBODU ltkY4PpuOGwNvzf8EcB8rvI3jB/gSPM+kw5N3lbavybryD5Ym+/2Js/5/RRn9cL1ep0S WoFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JZ/Njz8rMxiJlpSZ3jjfgJhyBXVYIoCh6sL45YYTOYA=; b=Rw4UBfJvJZGI+WO7s/1F/Sd+JQLEWsamZDyUSm5C2LXFhjl1fB9RPUswMMmJxEwG5y JeyVXdbUcLllAj3VcvHOVYpHm5lgWeCj44PnwWrwJM2gEgOQabxWTNpPI4ahESCvagSL lt4oriJG0z4lWZz4UNjQFOsDJYEAQ6D1viEcmJ7GR9oW8zQONtHlTmaQ5tOUByPvCEkG Xk7Dh/XZjteHn8tQ0QVAe8P9jXPONe4+A4rx0/pZvnUwPtij/6lkXFk7EzWJJrwlsu04 s5tu1jtf2Cbb+clDqaH/EFWGIbjhv43XH21kQT1K7g8iQQFglzgxy8BrIFmxOhMglusM 0fng==
X-Gm-Message-State: AFeK/H3fWbrUerscpOuUFGDHAePj1f/kpiZIq8sH7yJE1iFuSJQsK4nRyhodidOLhFVorzGHhe0BbzasYDHrPw==
X-Received: by 10.202.196.71 with SMTP id u68mr2101836oif.210.1490975351456; Fri, 31 Mar 2017 08:49:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.46.198 with HTTP; Fri, 31 Mar 2017 08:49:11 -0700 (PDT)
In-Reply-To: <CAOASepNaSLmey8fO0zzH77tfbQpyGadgQPSUjDcxT7LJYezjrA@mail.gmail.com>
References: <CAKws9z0UxAFynhW1jf34VARyV82VHVEwhg4E4rcyMMtSGeHj4w@mail.gmail.com> <FCF428D5-9FF5-460D-8C54-D148177A38F9@mit.edu> <CAKws9z1jhYfE4fJBSn9Yp+ETKRgsiH6ZsW5J76AfytWSAY-85w@mail.gmail.com> <CAOASepN8Q5aZEfkc6buoTpBo_Xpoavxt1e5qruX6Cg24K3Ec2g@mail.gmail.com> <CAKws9z1_H0+YXa-DLPEKKnTdZYQU7U4bvB9iRcDoGiLhcas+wA@mail.gmail.com> <CAOASepNaSLmey8fO0zzH77tfbQpyGadgQPSUjDcxT7LJYezjrA@mail.gmail.com>
From: Paragon Initiative Enterprises Security Team <security@paragonie.com>
Date: Fri, 31 Mar 2017 11:49:11 -0400
Message-ID: <CAKws9z3KTNNk-GkgCHeH65dg=cOCuVQexKUdbjbPqYMFm+GB2w@mail.gmail.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
Cc: Justin Richer <jricher@mit.edu>, jose@ietf.org
Content-Type: multipart/alternative; boundary="001a11351c86315be0054c08c0bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/7eAiYVBb5nwBsvCfJfLuvZ55oWg>
Subject: Re: [jose] Towards a More Secure JOSE Standard
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 15:49:14 -0000
On Fri, Mar 31, 2017 at 11:46 AM, Nathaniel McCallum <npmccallum@redhat.com> wrote: > On Thu, Mar 30, 2017 at 1:52 PM, Paragon Initiative Enterprises > Security Team <security@paragonie.com> wrote: > (SNIP) > > Yes, it would be nice if the standard was less fragile in this area. > But you're asking for a major change to an existing standard after it > is published and many interoperable implementations exist. You have to > realize this is a (very) hard sell. > The alternative is to tell people don't use JOSE, it's a bad standard <https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid> and design a superior alternative to recommend instead. One that has actually been vetted by cryptography experts. Given only those two options, which would you rather see? Security Team Paragon Initiative Enterprises <https://paragonie.com/security>
- [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Justin Richer
- Re: [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Nathaniel McCallum
- Re: [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Nathaniel McCallum
- Re: [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Nathaniel McCallum