Re: [jose] DISCUSS: Nonce/Timestamp parameter

[Justin Richer <jricher@mitre.org>]

On 08/25/2012 03:37 AM, Axel Nennker wrote:
> To clarify: What is the base specification that Jim mentioned?
> Is it: http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03 ?
>
> Would somebody please present a use-case for either nonce or timestamp?
> If a jwt is used with oauth2 then what is the difference between nonce 
> and state? Nonce would be signed while state is not?
>

Nonce would generally be generated by the entity creating the token. 
State in OAuth is generated by the client, and would only be protected 
if the client had a means to make a signed request to the server, using 
either a MAC binding or a JWT-based OIDC-style RequestObject.

  -- Justin

> I guess I am missing some information that those in the room who voted 
> "yes" had?
>
> Axel
>
> 2012/8/25 Mike Jones <Michael.Jones@microsoft.com 
> <mailto:Michael.Jones@microsoft.com>>
>
>     I'll note for discussion purposes that a nonce and a timestamp are
>     not the same thing (although sometimes they are used to achieve
>     similar/related goals).  A nonce tends to be an opaque value that
>     must be preserved across the communication.  Whereas a timestamp
>     typically has defined semantics - sometimes simply a
>     non-decreasing integer value - and sometimes a representation of
>     time, and then, sometimes with a uniqueness requirement.
>
>     For discussion purposes, I'll say that the simplest thing for us
>     to do (should we decide to do anything in this regard) would be to
>     define the nonce as an opaque string value that must be preserved.
>
>     We could also define a timestamp parameter, but as I wrote above,
>     that would likely require us to specify additional semantics -
>     starting with whether it's a non-decreasing integer or a
>     representation of a time value.  This seems much harder to define
>     and possibly to use than a nonce.
>
>     Would it make sense to define a nonce parameter now and hold off
>     on defining a timestamp parameter until there's a clear
>     demonstrated use case for which a nonce is not sufficient?  That
>     would be my personal recommendation.
>
>                                     Best wishes,
>                                     -- Mike
>
>     -----Original Message-----
>     From: jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>
>     [mailto:jose-bounces@ietf.org <mailto:jose-bounces@ietf.org>] On
>     Behalf Of Jim Schaad
>     Sent: Friday, August 17, 2012 12:05 AM
>     To: jose@ietf.org <mailto:jose@ietf.org>
>     Subject: [jose] POLL: Nonce/Timestamp parameter
>
>     <CHAIR>
>
>     If you voted at the face-2-face please do not vote again.  If you
>     want to provide comments please change the title from POLL to DISCUSS.
>
>     Do we need to define a nonce/timestamp parameter in the base
>     specification?
>
>
>
>     Room vote:  6 yes, 0 no, 1 discuss
>
>
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org <mailto:jose@ietf.org>
>     https://www.ietf.org/mailman/listinfo/jose
>
>
>     _______________________________________________
>     jose mailing list
>     jose@ietf.org <mailto:jose@ietf.org>
>     https://www.ietf.org/mailman/listinfo/jose
>
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose