IETF Logo Mail Archive

Re: [jose] DISCUSS: Nonce/Timestamp parameter

Mike Jones <Michael.Jones@microsoft.com> Mon, 27 August 2012 21:36 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D37F21E803F for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 14:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.84
X-Spam-Level:
X-Spam-Status: No, score=-3.84 tagged_above=-999 required=5 tests=[AWL=-0.242, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNqzGkDT05Ws for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 14:36:18 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe006.messaging.microsoft.com [213.199.154.209]) by ietfa.amsl.com (Postfix) with ESMTP id B527F21E803C for <jose@ietf.org>; Mon, 27 Aug 2012 14:36:17 -0700 (PDT)
Received: from mail33-am1-R.bigfish.com (10.3.201.229) by AM1EHSOBE010.bigfish.com (10.3.204.30) with Microsoft SMTP Server id 14.1.225.23; Mon, 27 Aug 2012 21:36:16 +0000
Received: from mail33-am1 (localhost [127.0.0.1]) by mail33-am1-R.bigfish.com (Postfix) with ESMTP id 4E5E93400CB; Mon, 27 Aug 2012 21:36:16 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -25
X-BigFish: VS-25(zz98dI9371Ic85fh168aJ148cIzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25hf0ah107ah1155h)
Received-SPF: pass (mail33-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC104.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail33-am1 (localhost.localdomain [127.0.0.1]) by mail33-am1 (MessageSwitch) id 1346103374234436_29895; Mon, 27 Aug 2012 21:36:14 +0000 (UTC)
Received: from AM1EHSMHS002.bigfish.com (unknown [10.3.201.252]) by mail33-am1.bigfish.com (Postfix) with ESMTP id 36F0912004E; Mon, 27 Aug 2012 21:36:14 +0000 (UTC)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS002.bigfish.com (10.3.207.102) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 27 Aug 2012 21:36:12 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.176]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.02.0318.003; Mon, 27 Aug 2012 21:36:03 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Axel.Nennker@telekom.de" <Axel.Nennker@telekom.de>, "dick.hardt@gmail.com" <dick.hardt@gmail.com>, "beaton@google.com" <beaton@google.com>
Thread-Topic: [jose] DISCUSS: Nonce/Timestamp parameter
Thread-Index: Ac2ELoc7hDZ21YmQR8aBkF8crw0gfQAWHlqAAAAxeYAAAelbgAAAlU+AAAHAOoAAALydIA==
Date: Mon, 27 Aug 2012 21:36:02 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943667ABCF4@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517E00B8B5@HE111541.emea1.cds.t-internal.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com> <8777DAED-4ADA-4691-B5CD-0E5CF308BC1C@gmail.com> <CALT9B_Tnz+9=a-NPuUTeSb31fFMi1cJMB-SeM7QJmSh=XrhHTA@mail.gmail.com> <6C5B4E61-C18F-470A-955C-B099A2208788@gmail.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C107@HE111541.emea1.cds.t-internal.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF402517E00C107@HE111541.emea1.cds.t-internal.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.71]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943667ABCF4TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "ietf@augustcellars.com" <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 21:36:20 -0000

Just to complete the picture, I'll also add that OpenID Connect defines a nonce claim (at the JWT claim level, rather than the JOSE header parameter level).

                                                            -- Mike

From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Axel.Nennker@telekom.de
Sent: Monday, August 27, 2012 2:13 PM
To: dick.hardt@gmail.com; beaton@google.com
Cc: ietf@augustcellars.com; jose@ietf.org
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter


We have exp

                https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03#section-4.1.1

and iat

                https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03#section-4.1.3

in JWT. Why do we need a timestamp?



Replay attacks of the same jwt can be mitigated through the jti claim

https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-03#section-4.1.7



What do timestamp and nonce add to these?



Axel




From: Dick Hardt [mailto:dick.hardt@gmail.com]<mailto:[mailto:dick.hardt@gmail.com]>
Sent: Monday, August 27, 2012 10:23 PM
To: Brian Eaton
Cc: Nennker, Axel; Jim Schaad; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter


On Aug 27, 2012, at 1:06 PM, Brian Eaton wrote:

On Mon, Aug 27, 2012 at 12:11 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
I have an application for JWT that is not OAuth2.

Should nonce and timestamp logic go in the application level protocol?

I prefer to NOT have the application level deal with token validity.


Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully.

Nonce alone can't be implemented efficiently.  You have to have time stamps as well, otherwise you are stuck storing ever nonce you've ever seen, forever.

Even nonce + time stamp is challenging in distributed systems.  It adds a lot of complexity.  That complexity is sometimes merited, but not always.

Thanks for confirming my statement.

I have stopped using nonce and only use time stamps lately and have made the system relatively stateless so that a second submission of the token is ok. That may not work for everyone, but I have found that architecture to be easier to implement and scale.

v2.43.4 | Report a Bug | By Email | System Status