IETF Logo Mail Archive

Re: [jose] DISCUSS: Nonce/Timestamp parameter

Anthony Nadalin <tonynad@microsoft.com> Mon, 27 August 2012 21:03 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57EC021F84DF for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 14:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.739
X-Spam-Level:
X-Spam-Status: No, score=-0.739 tagged_above=-999 required=5 tests=[AWL=-0.273, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxKzZhEo0w4q for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 14:03:36 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe001.messaging.microsoft.com [213.199.154.204]) by ietfa.amsl.com (Postfix) with ESMTP id 9EB3121F846B for <jose@ietf.org>; Mon, 27 Aug 2012 14:03:35 -0700 (PDT)
Received: from mail70-am1-R.bigfish.com (10.3.201.233) by AM1EHSOBE005.bigfish.com (10.3.204.25) with Microsoft SMTP Server id 14.1.225.23; Mon, 27 Aug 2012 21:03:34 +0000
Received: from mail70-am1 (localhost [127.0.0.1]) by mail70-am1-R.bigfish.com (Postfix) with ESMTP id 3864F3E00B7 for <jose@ietf.org>; Mon, 27 Aug 2012 21:03:34 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -19
X-BigFish: VS-19(zz98dI9371Ic85fhzz1202h1082kzz1033IL8275bh8275dhz2fh2a8h683h839hd25hf0ah107ah1155h)
Received-SPF: pass (mail70-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail70-am1 (localhost.localdomain [127.0.0.1]) by mail70-am1 (MessageSwitch) id 1346101412666722_9228; Mon, 27 Aug 2012 21:03:32 +0000 (UTC)
Received: from AM1EHSMHS018.bigfish.com (unknown [10.3.201.240]) by mail70-am1.bigfish.com (Postfix) with ESMTP id 976B52C0062 for <jose@ietf.org>; Mon, 27 Aug 2012 21:03:32 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS018.bigfish.com (10.3.207.156) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 27 Aug 2012 21:03:32 +0000
Received: from am1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.2.318.3; Mon, 27 Aug 2012 21:03:16 +0000
Received: from mail96-am1-R.bigfish.com (10.3.201.232) by AM1EHSOBE002.bigfish.com (10.3.204.22) with Microsoft SMTP Server id 14.1.225.23; Mon, 27 Aug 2012 21:03:00 +0000
Received: from mail96-am1 (localhost [127.0.0.1]) by mail96-am1-R.bigfish.com (Postfix) with ESMTP id 859424200E7 for <jose@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 27 Aug 2012 21:03:00 +0000 (UTC)
Received: from mail96-am1 (localhost.localdomain [127.0.0.1]) by mail96-am1 (MessageSwitch) id 1346101379200058_21316; Mon, 27 Aug 2012 21:02:59 +0000 (UTC)
Received: from AM1EHSMHS006.bigfish.com (unknown [10.3.201.234]) by mail96-am1.bigfish.com (Postfix) with ESMTP id 253FD180047; Mon, 27 Aug 2012 21:02:59 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by AM1EHSMHS006.bigfish.com (10.3.207.106) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 27 Aug 2012 21:02:58 +0000
Received: from BL2PRD0310MB362.namprd03.prod.outlook.com ([169.254.12.235]) by BL2PRD0310HT001.namprd03.prod.outlook.com ([10.255.97.36]) with mapi id 14.16.0190.008; Mon, 27 Aug 2012 21:02:57 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Brian Eaton <beaton@google.com>, Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [jose] DISCUSS: Nonce/Timestamp parameter
Thread-Index: Ac2ELoc7hDZ21YmQR8aBkF8crw0gfQAWHlqAAAAxeYAAAelbgAAB4z/A
Date: Mon, 27 Aug 2012 21:02:57 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E75EA38E51@BL2PRD0310MB362.namprd03.prod.outlook.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517E00B8B5@HE111541.emea1.cds.t-internal.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com> <8777DAED-4ADA-4691-B5CD-0E5CF308BC1C@gmail.com> <CALT9B_Tnz+9=a-NPuUTeSb31fFMi1cJMB-SeM7QJmSh=XrhHTA@mail.gmail.com>
In-Reply-To: <CALT9B_Tnz+9=a-NPuUTeSb31fFMi1cJMB-SeM7QJmSh=XrhHTA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.56]
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E75EA38E51BL2PRD0310MB362_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT001.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GOOGLE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%AUGUSTCELLARS.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%TELEKOM.DE$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Cc: "ietf@augustcellars.com" <ietf@augustcellars.com>, "Axel.Nennker@telekom.de" <Axel.Nennker@telekom.de>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 21:03:37 -0000

Depends on what the nonce is used for as if this is for key entropy then I would say there is very little overhead and storage issues and in this case I would expect the header to contain the nonce, if it's for state of some sort then I would expect it at the application level and  not as a header and more of a JWT claim.

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Brian Eaton
Sent: Monday, August 27, 2012 1:06 PM
To: Dick Hardt
Cc: ietf@augustcellars.com; jose@ietf.org; Axel.Nennker@telekom.de
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter

On Mon, Aug 27, 2012 at 12:11 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
I have an application for JWT that is not OAuth2.

Should nonce and timestamp logic go in the application level protocol?

Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully.

Nonce alone can't be implemented efficiently.  You have to have time stamps as well, otherwise you are stuck storing ever nonce you've ever seen, forever.

Even nonce + time stamp is challenging in distributed systems.  It adds a lot of complexity.  That complexity is sometimes merited, but not always.

v2.41.0 | Report a Bug | By Email | System Status