Re: [OAUTH-WG] [jose] Security research on JWT implementations
Tim McLean <tim@timmclean.net> Thu, 02 April 2015 21:23 UTC
Return-Path: <tim@timmclean.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 089FD1A6EEC for <oauth@ietfa.amsl.com>; Thu, 2 Apr 2015 14:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.312
X-Spam-Level:
X-Spam-Status: No, score=-1.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qCCdNx-R_Z3o for <oauth@ietfa.amsl.com>; Thu, 2 Apr 2015 14:23:24 -0700 (PDT)
Received: from mail-ob0-f173.google.com (mail-ob0-f173.google.com [209.85.214.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35A151A6EE0 for <oauth@ietf.org>; Thu, 2 Apr 2015 14:23:24 -0700 (PDT)
Received: by obbec2 with SMTP id ec2so147416729obb.3 for <oauth@ietf.org>; Thu, 02 Apr 2015 14:23:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8Gr78TLpnpN8G8d6xRxXEMpFqOM7KcpsaImEtmj7SOw=; b=Q6EkgYIv3nHPHNdWh1vEVrzSXO1xjKTFplDh5aNU986UU5aUV1z5t0T5ThVcTL8IbJ yK+RqiUuejb2r6gHm3vr2a1drAEIyenN/cSoexAomO5S16dbRW4PXKlKJmpvfJRL8w7z 0qnNZfbkUkQcx7+EewZ/PPVwHBcEUeu4w0cCbRPhDCqAGSxZoMmvMM/vri8fVl4BDNn7 rMC+vaec4IMihZMiYWzvW/lu6z2jb/wjxdZa7cJYj4BLdXQz1iHxNN1dfLQlVRgHHBOm 3ZM+CppsEGoCtWGF6CUjFusMuHqBsfRKG6HKjSUJMJZOOXlyosX9Tc/F/6YGa2HeaJx3 rDPg==
X-Gm-Message-State: ALoCoQlLe0pmPoy78IIVSI2WmFqSxePMduZdr0U1knwoA/AZ17ZxKdtjtRICay8uZ4un2toMVElK
X-Received: by 10.60.103.80 with SMTP id fu16mr3821045oeb.52.1428009803699; Thu, 02 Apr 2015 14:23:23 -0700 (PDT)
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com. [209.85.214.169]) by mx.google.com with ESMTPSA id je2sm5349876oeb.5.2015.04.02.14.23.23 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Apr 2015 14:23:23 -0700 (PDT)
Received: by obvd1 with SMTP id d1so148846390obv.0; Thu, 02 Apr 2015 14:23:23 -0700 (PDT)
X-Received: by 10.60.47.104 with SMTP id c8mr15404200oen.51.1428009803202; Thu, 02 Apr 2015 14:23:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.203.83 with HTTP; Thu, 2 Apr 2015 14:23:03 -0700 (PDT)
In-Reply-To: <37B89CA4-0242-41B8-841D-A4C88A1B2B76@ve7jtb.com>
References: <CABZPcapJQu2dES0qjE73uzJoSs1RYDFOMyTXgkB5CtZ=a8JZ0w@mail.gmail.com> <551D6734.4010907@gmail.com> <CABZPcar2ryAFRFGRtT-GjTXj6mROBYxmjxmXZVMs93XzYnj0HQ@mail.gmail.com> <551D8A3C.1060300@gmx.net> <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com> <37B89CA4-0242-41B8-841D-A4C88A1B2B76@ve7jtb.com>
From: Tim McLean <tim@timmclean.net>
Date: Thu, 02 Apr 2015 17:23:03 -0400
Message-ID: <CABZPcaqsy_9HPJfDT-ErMr9H8owX_M=T5BWMtOGVc1zS-8TSJQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a11c1f4020e45660512c4711c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Dqc6hZIiZnNi7mLTZ8jt8WfNClE>
Cc: "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 21:23:25 -0000
On Thu, Apr 2, 2015 at 4:39 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > A given issuer may be allowed to sign using both ECDSA and RSA PKCS 1.5 > and that would not be a problem until one of them is deprecated. > Having libraries assume that there can only be one alg per issuer would > not lead to useful crypto agility in my experience. > Note that I'm proposing one alg per key ID, not one alg per issuer (sorry in advance if I misunderstood what you meant here). Tim
- Re: [OAUTH-WG] [jose] Security research on JWT im… Hannes Tschofenig
- Re: [OAUTH-WG] [jose] Security research on JWT im… Mike Jones
- Re: [OAUTH-WG] [jose] Security research on JWT im… Aaron Parecki
- Re: [OAUTH-WG] [jose] Security research on JWT im… John Bradley
- Re: [OAUTH-WG] [jose] Security research on JWT im… Tim McLean
- Re: [OAUTH-WG] [jose] Security research on JWT im… Tim McLean
- Re: [OAUTH-WG] [jose] Security research on JWT im… John Bradley