IETF Logo Mail Archive

Re: [OAUTH-WG] [jose] Security research on JWT implementations

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 02 April 2015 18:28 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A530F1A0262; Thu, 2 Apr 2015 11:28:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOlKyJj6YpD1; Thu, 2 Apr 2015 11:28:19 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02BB91A014E; Thu, 2 Apr 2015 11:28:18 -0700 (PDT)
Received: from [192.168.131.146] ([80.92.114.249]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MUILK-1Z4muV41Uw-00Qz2B; Thu, 02 Apr 2015 20:28:14 +0200
Message-ID: <551D8A3C.1060300@gmx.net>
Date: Thu, 02 Apr 2015 20:28:12 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Tim McLean <tim@timmclean.net>
References: <CABZPcapJQu2dES0qjE73uzJoSs1RYDFOMyTXgkB5CtZ=a8JZ0w@mail.gmail.com> <551D6734.4010907@gmail.com> <CABZPcar2ryAFRFGRtT-GjTXj6mROBYxmjxmXZVMs93XzYnj0HQ@mail.gmail.com>
In-Reply-To: <CABZPcar2ryAFRFGRtT-GjTXj6mROBYxmjxmXZVMs93XzYnj0HQ@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="PFs4ucScXfMpicxAbVaN6oNv7AA9LGG3A"
X-Provags-ID: V03:K0:6FitXFfqv97UwoEHibY/suQAl8KD2uqIv91irJvzzCb3TUXpnnA aETd0jRzsQ9W+jaNbo24X9xnlHA7RruNPG8VElOS7ss0vL7rIg4jos9J6atpTdQdsjMkBl3 kYm5DZbMFc3BD+ycZ20s2T/RmiJKk2K3eZ0+G8GJgLqBKUWwCgK8t2bh5Nevfrz5WX8qvTa wBF2RaL/CpxQiBvNG8iyg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/MC_NzUvPbu9zq_C4cVdhOh0zG1c>
Cc: "oauth@ietf.org" <oauth@ietf.org>, jose@ietf.org
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 18:28:20 -0000

[[adding oauth@ietf.org]]

On 04/02/2015 08:01 PM, Tim McLean wrote:
> However, I do think one way of gauging the success of JWS/JOSE is to
> measure how many implementers actually get the security details right. 

I agree with you.

If several people got this wrong then it is a good idea to write about
it. Of course, it was a bit difficult to foresee this issue at the time
of writing the specification.

At a minimum we should put a version of your article at oauth.net.

Since the JWT spec (which you reference in your article) is still in
Auth48 state we can still add a warning remark to Section 7.2 of
https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32.

Ciao
Hannes

v2.23.0 | Report a Bug | By Email