Re: [jose] DISCUSS: Nonce/Timestamp parameter

<Axel.Nennker@telekom.de> Tue, 28 August 2012 04:30 UTC

From: Axel.Nennker@telekom.de
To: kent@bbn.com, jose@ietf.org
Date: Tue, 28 Aug 2012 06:30:13 +0200
Thread-Topic: [jose] DISCUSS: Nonce/Timestamp parameter
Thread-Index: Ac2E1FkVDWRwHUA/RZSnc4vLTezgDQAAHgaA
Message-ID: <CE8995AB5D178F44A2154F5C9A97CAF402517E00C11A@HE111541.emea1.cds.t-internal.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517E00B8B5@HE111541.emea1.cds.t-internal.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com> <503C46D8.9020808@bbn.com>
In-Reply-To: <503C46D8.9020808@bbn.com>
Accept-Language: de-DE
Content-Language: en-US
acceptlanguage: de-DE
Content-Type: multipart/alternative; boundary="_000_CE8995AB5D178F44A2154F5C9A97CAF402517E00C11AHE111541eme_"
MIME-Version: 1.0
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
Precedence: list

I agree that jwt is  useful without oauth2.
Still we already have exp, iat, jti in jwt.
What protection do nonce/timestamp bring to jwt users?

I think the poll about this question should be reconsidered because the question is unclear and nonce/timestamp have no supporting use case beyond exp, iat, jti.

Axel


From: Stephen Kent [mailto:kent@bbn.com]
Sent: Tuesday, August 28, 2012 6:20 AM
To: jose@ietf.org; Nennker, Axel
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter

Axel,

I did not vote on this issue, but I am concerned by what appears to be the basis for your
position. Specifically, you say:

Maybe there is some justification for nonce in jwt but if jwt is used with oauth2 then we already have state.

JOSE's cope is not just oauth2, so it seems inappropriate to argue that a feature is not
needed based on just that app.

Steve

Re: [jose] DISCUSS: Nonce/Timestamp parameter Justin Richer
Re: [jose] DISCUSS: Nonce/Timestamp parameter Mike Jones
Re: [jose] DISCUSS: Nonce/Timestamp parameter Axel.Nennker
Re: [jose] DISCUSS: Nonce/Timestamp parameter Mike Jones
Re: [jose] DISCUSS: Nonce/Timestamp parameter Axel.Nennker
Re: [jose] DISCUSS: Nonce/Timestamp parameter Dick Hardt
Re: [jose] DISCUSS: Nonce/Timestamp parameter Brian Eaton
Re: [jose] DISCUSS: Nonce/Timestamp parameter Dick Hardt
Re: [jose] DISCUSS: Nonce/Timestamp parameter Anthony Nadalin
Re: [jose] DISCUSS: Nonce/Timestamp parameter Axel.Nennker
Re: [jose] DISCUSS: Nonce/Timestamp parameter Mike Jones
Re: [jose] DISCUSS: Nonce/Timestamp parameter Dick Hardt
Re: [jose] DISCUSS: Nonce/Timestamp parameter Axel Nennker
Re: [jose] DISCUSS: Nonce/Timestamp parameter Stephen Kent
Re: [jose] DISCUSS: Nonce/Timestamp parameter Stephen Kent
Re: [jose] DISCUSS: Nonce/Timestamp parameter Richard Barnes
Re: [jose] DISCUSS: Nonce/Timestamp parameter Axel.Nennker
Re: [jose] DISCUSS: Nonce/Timestamp parameter Justin Richer
Re: [jose] DISCUSS: Nonce/Timestamp parameter John Bradley
Re: [jose] DISCUSS: Nonce/Timestamp parameter John Bradley
Re: [jose] DISCUSS: Nonce/Timestamp parameter Breno de Medeiros
Re: [jose] DISCUSS: Nonce/Timestamp parameter Brian Campbell
Re: [jose] DISCUSS: Nonce/Timestamp parameter Justin Richer
Re: [jose] DISCUSS: Nonce/Timestamp parameter Jim Schaad
Re: [jose] DISCUSS: Nonce/Timestamp parameter Mike Jones
Re: [jose] DISCUSS: Nonce/Timestamp parameter Daniel Holth