IETF Logo Mail Archive

Re: [OAUTH-WG] [jose] Security research on JWT implementations

Mike Jones <Michael.Jones@microsoft.com> Thu, 02 April 2015 18:42 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E85EE1A0191; Thu, 2 Apr 2015 11:42:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFGyJECwXD1Q; Thu, 2 Apr 2015 11:42:50 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0107.outbound.protection.outlook.com [207.46.100.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E0091A1AB4; Thu, 2 Apr 2015 11:42:45 -0700 (PDT)
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.125.14; Thu, 2 Apr 2015 18:42:44 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0125.002; Thu, 2 Apr 2015 18:42:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Tim McLean <tim@timmclean.net>
Thread-Topic: [OAUTH-WG] [jose] Security research on JWT implementations
Thread-Index: AQHQbVnsrX5O/i4ek0WgSxoL/JpOip054RYAgAAiSwCAAAd4AIAAA4Kw
Date: Thu, 02 Apr 2015 18:42:43 +0000
Message-ID: <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com>
References: <CABZPcapJQu2dES0qjE73uzJoSs1RYDFOMyTXgkB5CtZ=a8JZ0w@mail.gmail.com> <551D6734.4010907@gmail.com> <CABZPcar2ryAFRFGRtT-GjTXj6mROBYxmjxmXZVMs93XzYnj0HQ@mail.gmail.com> <551D8A3C.1060300@gmx.net>
In-Reply-To: <551D8A3C.1060300@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [24.121.212.85]
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(479174004)(377454003)(24454002)(13464003)(76176999)(54356999)(87936001)(99286002)(86612001)(86362001)(2656002)(50986999)(62966003)(106116001)(2950100001)(66066001)(2900100001)(92566002)(19580405001)(19580395003)(93886004)(33656002)(46102003)(122556002)(102836002)(77156002)(77096005)(74316001)(76576001)(15975445007); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-microsoft-antispam-prvs: <BY2PR03MB441D13643E41C84459831ECF5F20@BY2PR03MB441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 0534947130
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2015 18:42:43.8837 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JdhKnLaSvTfq710LR_cSaLUhUSs>
Cc: "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 18:42:55 -0000

This warning is already in place in https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2.  It says:

   Finally, note that it is an application decision which algorithms may
   be used in a given context.  Even if a JWT can be successfully
   validated, unless the algorithm(s) used in the JWT are acceptable to
   the application, it SHOULD reject the JWT.

				-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Thursday, April 02, 2015 11:28 AM
To: Tim McLean
Cc: oauth@ietf.org; jose@ietf.org
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations

[[adding oauth@ietf.org]]

On 04/02/2015 08:01 PM, Tim McLean wrote:
> However, I do think one way of gauging the success of JWS/JOSE is to 
> measure how many implementers actually get the security details right.

I agree with you.

If several people got this wrong then it is a good idea to write about it. Of course, it was a bit difficult to foresee this issue at the time of writing the specification.

At a minimum we should put a version of your article at oauth.net.

Since the JWT spec (which you reference in your article) is still in
Auth48 state we can still add a warning remark to Section 7.2 of https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32.

Ciao
Hannes

v2.23.0 | Report a Bug | By Email