IETF Logo Mail Archive

Re: [jose] DISCUSS: Nonce/Timestamp parameter

Axel Nennker <ignisvulpis@googlemail.com> Sat, 25 August 2012 07:37 UTC

Return-Path: <ignisvulpis@googlemail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C6521F8449 for <jose@ietfa.amsl.com>; Sat, 25 Aug 2012 00:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8VBK3ODoQWR for <jose@ietfa.amsl.com>; Sat, 25 Aug 2012 00:37:42 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 683C921F844A for <jose@ietf.org>; Sat, 25 Aug 2012 00:37:42 -0700 (PDT)
Received: by wibhr14 with SMTP id hr14so1270409wib.13 for <jose@ietf.org>; Sat, 25 Aug 2012 00:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xlhHEzvBRY12SmFub3f+DSftOOccZ2YyWPNrGd0nXZg=; b=tZ7WqKyJkIsEdHaIf5knCvMUq6JDExSsUkVyMAtbDWNtd8sX72lvpt34VXCnEr19iG FDOXM5H+KQTDx9gZ7VLVXwnLFupFQnC4iEez9Tkvx3zcNE076HfTn0Qn5m+l36Vck2vL V1iigRY62cO4cT+y65yqXDxwz+NIemG4wr91yQYgJftqrGNG+m8oJIuQ3/12cm9cAlpO r6psdf/6j/8GVUxWN3vzzdBNPW4O2Se6xip7byvQN/MND2tE9CH6Tk7E6taBcd2gQ5w8 6A7Mm9M5iyUkJXMhLfx9Tl9UTB2IIJ9tg3mKAL4GbeJXVSVP7NyAGnDu96PXHsa3Y/x8 L/Rg==
MIME-Version: 1.0
Received: by 10.216.138.220 with SMTP id a70mr4016481wej.170.1345880261432; Sat, 25 Aug 2012 00:37:41 -0700 (PDT)
Received: by 10.216.241.4 with HTTP; Sat, 25 Aug 2012 00:37:41 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943667A93F8@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B1680429673943667A93F8@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Sat, 25 Aug 2012 09:37:41 +0200
Message-ID: <CAHcDwFzh6HcgsJYFXq71RWSwKWkMADBNQH7_goAtTFNmz-wSwQ@mail.gmail.com>
From: Axel Nennker <ignisvulpis@googlemail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="0016e6d99b45e4967b04c8122afa"
X-Mailman-Approved-At: Mon, 27 Aug 2012 18:58:04 -0700
Cc: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Aug 2012 07:37:43 -0000

To clarify: What is the base specification that Jim mentioned?
Is it: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ?

Would somebody please present a use-case for either nonce or timestamp?
If a jwt is used with oauth2 then what is the difference between nonce and
state? Nonce would be signed while state is not?

I guess I am missing some information that those in the room who voted
"yes" had?

Axel

2012/8/25 Mike Jones <Michael.Jones@microsoft.com>

> I'll note for discussion purposes that a nonce and a timestamp are not the
> same thing (although sometimes they are used to achieve similar/related
> goals).  A nonce tends to be an opaque value that must be preserved across
> the communication.  Whereas a timestamp typically has defined semantics -
> sometimes simply a non-decreasing integer value - and sometimes a
> representation of time, and then, sometimes with a uniqueness requirement.
>
> For discussion purposes, I'll say that the simplest thing for us to do
> (should we decide to do anything in this regard) would be to define the
> nonce as an opaque string value that must be preserved.
>
> We could also define a timestamp parameter, but as I wrote above, that
> would likely require us to specify additional semantics - starting with
> whether it's a non-decreasing integer or a representation of a time value.
>  This seems much harder to define and possibly to use than a nonce.
>
> Would it make sense to define a nonce parameter now and hold off on
> defining a timestamp parameter until there's a clear demonstrated use case
> for which a nonce is not sufficient?  That would be my personal
> recommendation.
>
>                                 Best wishes,
>                                 -- Mike
>
> -----Original Message-----
> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
> Jim Schaad
> Sent: Friday, August 17, 2012 12:05 AM
> To: jose@ietf.org
> Subject: [jose] POLL: Nonce/Timestamp parameter
>
> <CHAIR>
>
> If you voted at the face-2-face please do not vote again.  If you want to
> provide comments please change the title from POLL to DISCUSS.
>
> Do we need to define a nonce/timestamp parameter in the base specification?
>
>
>
> Room vote:  6 yes, 0 no, 1 discuss
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>

v2.43.4 | Report a Bug | By Email | System Status