IETF Logo Mail Archive

Re: [OAUTH-WG] [jose] Security research on JWT implementations

Aaron Parecki <aaron@parecki.com> Thu, 02 April 2015 18:53 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD6371A1A98 for <oauth@ietfa.amsl.com>; Thu, 2 Apr 2015 11:53:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXopOyRh8o_X for <oauth@ietfa.amsl.com>; Thu, 2 Apr 2015 11:53:14 -0700 (PDT)
Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F315C1A1A34 for <oauth@ietf.org>; Thu, 2 Apr 2015 11:53:13 -0700 (PDT)
Received: by wiaa2 with SMTP id a2so116010902wia.0 for <oauth@ietf.org>; Thu, 02 Apr 2015 11:53:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=R8fjmaM3QNeyLmvtlCVt0AOQsN1gQ04HK5LGUBDX1C8=; b=M8VQo32Mh+WuQGJxCPNCbbtn3DwDcdy0UeecOE8VOKq4FR8jbLC8UhOKBTzdB83bgj K9cZh152ayqcoLh0LvssesppuSeoRVWCkAfkNvh4VShZRTXIE/IYhHNpPVNZiC7MhfOD fJvCqG9T048sxveZP27A8FPF/pRJVgRNqCA4acoHW4zQl/J9+A9wd9obj0H5uSYnFoHD AgmdN0cMbkUItZy0id//fRvzRprrN0kf7YNii+Vf7JXaohmWYfonWu9f4rVdVc5eXYKL CZjLE0LbsomRdPnnb3TuyqnmkPK/TGnnBDv/1u3ESvN0LBLiP+vxa8A5NcWFYt6Izk6a 7ing==
X-Gm-Message-State: ALoCoQnd+9an8AWB5Rj9kxJX8/go9j5usu7q2ZfdfY5kHnDsmKJ7SSVxexXNtwi2sznIGqVju03n
X-Received: by 10.180.7.169 with SMTP id k9mr26530950wia.48.1428000792707; Thu, 02 Apr 2015 11:53:12 -0700 (PDT)
Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com. [209.85.212.171]) by mx.google.com with ESMTPSA id ln8sm2149402wjc.18.2015.04.02.11.53.11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Apr 2015 11:53:11 -0700 (PDT)
Received: by wiaa2 with SMTP id a2so116010194wia.0; Thu, 02 Apr 2015 11:53:11 -0700 (PDT)
X-Received: by 10.194.83.66 with SMTP id o2mr98169998wjy.55.1428000791154; Thu, 02 Apr 2015 11:53:11 -0700 (PDT)
MIME-Version: 1.0
References: <CABZPcapJQu2dES0qjE73uzJoSs1RYDFOMyTXgkB5CtZ=a8JZ0w@mail.gmail.com> <551D6734.4010907@gmail.com> <CABZPcar2ryAFRFGRtT-GjTXj6mROBYxmjxmXZVMs93XzYnj0HQ@mail.gmail.com> <551D8A3C.1060300@gmx.net> <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Thu, 02 Apr 2015 18:53:10 +0000
Message-ID: <CAGBSGjrCRczgYLpARfrNsOg-G4KNCUe1DuOdmU6BRyGNLr0sTg@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Tim McLean <tim@timmclean.net>
Content-Type: multipart/alternative; boundary="047d7bd6bbcae558f70512c2576e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JLfn3nrceX0bVJg4gW6_IMq3VC4>
Cc: "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 18:53:19 -0000

I'm not sure what article you're referring to, but feel free to add the
article and send a pull request to oauth.net:

https://github.com/aaronpk/oauth.net

Here's an example of the PR for the Authentication article that Justin
added: https://github.com/aaronpk/oauth.net/pull/81

Aaron Parecki




On Thu, Apr 2, 2015 at 1:43 PM Mike Jones <Michael.Jones@microsoft.com>
wrote:

> This warning is already in place in https://tools.ietf.org/html/
> draft-ietf-oauth-json-web-token-32#section-7.2.  It says:
>
>    Finally, note that it is an application decision which algorithms may
>    be used in a given context.  Even if a JWT can be successfully
>    validated, unless the algorithm(s) used in the JWT are acceptable to
>    the application, it SHOULD reject the JWT.
>
>                                 -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, April 02, 2015 11:28 AM
> To: Tim McLean
> Cc: oauth@ietf.org; jose@ietf.org
> Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
>
> [[adding oauth@ietf.org]]
>
> On 04/02/2015 08:01 PM, Tim McLean wrote:
> > However, I do think one way of gauging the success of JWS/JOSE is to
> > measure how many implementers actually get the security details right.
>
> I agree with you.
>
> If several people got this wrong then it is a good idea to write about it.
> Of course, it was a bit difficult to foresee this issue at the time of
> writing the specification.
>
> At a minimum we should put a version of your article at oauth.net.
>
> Since the JWT spec (which you reference in your article) is still in
> Auth48 state we can still add a warning remark to Section 7.2 of
> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32.
>
> Ciao
> Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email