Re: [OAUTH-WG] OAuth Digest, Vol 78, Issue 1
Maik Mahn <sooolooo.mm@gmail.com> Fri, 03 April 2015 12:08 UTC
Return-Path: <sooolooo.mm@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98881A8F3E for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 05:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6aZ4XWaM78Kr for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2015 05:08:08 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09F041A8AF8 for <oauth@ietf.org>; Fri, 3 Apr 2015 05:08:07 -0700 (PDT)
Received: by wibgn9 with SMTP id gn9so138024473wib.1 for <oauth@ietf.org>; Fri, 03 Apr 2015 05:08:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:subject:message-id:from:to:mime-version:content-type :content-transfer-encoding; bh=qMqE61GgG7w5+QXRX8hdDgf3uH9LTB3GdX2y7J8KrTM=; b=IAiPb5nYVvFVyA7SXtR4fUoAmw5wgr0XPcUEQm4akR6HarkS4CzTSI+bBYguErNtoM P9nh1ai72qp/ZqK/0RGvqGTKt+0C5tUCYhMM3My/qrqus4K6ddjs+VIuqUw5HSkwnyPn 4v+XKvQukqly422cmVg0QGHNyg9hT2JHYpM5cvW4Wkbn/U6tAz3us2edH25yN2hrVM/Y gzQQB0bRLE5LSe4sW2Uj44ZVFAfkyU8VBqxk5fUBDgRWriH4hkR5UpKWae3auEUKPD7u 3tBKFry70khI9sVwVoK50T9Y6r0fUgTOObXCujZFKbpf7xefmWRwz2S+evLsY8jEecy/ JXBA==
X-Received: by 10.194.193.69 with SMTP id hm5mr4379696wjc.43.1428062886673; Fri, 03 Apr 2015 05:08:06 -0700 (PDT)
Received: from [10.12.70.58] (ip-109-47-194-224.web.vodafone.de. [109.47.194.224]) by mx.google.com with ESMTPSA id hj10sm11263444wjc.48.2015.04.03.05.08.01 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 03 Apr 2015 05:08:05 -0700 (PDT)
Date: Fri, 03 Apr 2015 14:07:55 +0200
Message-ID: <gr2kcf6agliborrmj0mto6y8.1428062875308@email.android.com>
From: Maik Mahn <sooolooo.mm@gmail.com>
To: oauth@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ZiKsSPzuTIjeaCNJKuI59guxjwE>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 78, Issue 1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 12:08:11 -0000
M&M oauth-request@ietf.org schrieb: >Send OAuth mailing list submissions to > oauth@ietf.org > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth >or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > >You can reach the person managing the list at > oauth-owner@ietf.org > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of OAuth digest..." > > >Today's Topics: > > 1. Re: [jose] Security research on JWT implementations > (Hannes Tschofenig) > 2. Re: [jose] Security research on JWT implementations (Mike Jones) > 3. Re: [jose] Security research on JWT implementations > (Aaron Parecki) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Thu, 02 Apr 2015 20:28:12 +0200 >From: Hannes Tschofenig <hannes.tschofenig@gmx.net> >To: Tim McLean <tim@timmclean.net> >Cc: "oauth@ietf.org" <oauth@ietf.org>, jose@ietf.org >Subject: Re: [OAUTH-WG] [jose] Security research on JWT > implementations >Message-ID: <551D8A3C.1060300@gmx.net> >Content-Type: text/plain; charset="windows-1252" > >[[adding oauth@ietf.org]] > >On 04/02/2015 08:01 PM, Tim McLean wrote: >> However, I do think one way of gauging the success of JWS/JOSE is to >> measure how many implementers actually get the security details right. > >I agree with you. > >If several people got this wrong then it is a good idea to write about >it. Of course, it was a bit difficult to foresee this issue at the time >of writing the specification. > >At a minimum we should put a version of your article at oauth.net. > >Since the JWT spec (which you reference in your article) is still in >Auth48 state we can still add a warning remark to Section 7.2 of >https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. > >Ciao >Hannes > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: signature.asc >Type: application/pgp-signature >Size: 513 bytes >Desc: OpenPGP digital signature >URL: <http://www.ietf.org/mail-archive/web/oauth/attachments/20150402/0f862401/attachment.asc> > >------------------------------ > >Message: 2 >Date: Thu, 2 Apr 2015 18:42:43 +0000 >From: Mike Jones <Michael.Jones@microsoft.com> >To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Tim McLean > <tim@timmclean.net> >Cc: "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org> >Subject: Re: [OAUTH-WG] [jose] Security research on JWT > implementations >Message-ID: > <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com> > >Content-Type: text/plain; charset="us-ascii" > >This warning is already in place in https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2. It says: > > Finally, note that it is an application decision which algorithms may > be used in a given context. Even if a JWT can be successfully > validated, unless the algorithm(s) used in the JWT are acceptable to > the application, it SHOULD reject the JWT. > > -- Mike > >-----Original Message----- >From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig >Sent: Thursday, April 02, 2015 11:28 AM >To: Tim McLean >Cc: oauth@ietf.org; jose@ietf.org >Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations > >[[adding oauth@ietf.org]] > >On 04/02/2015 08:01 PM, Tim McLean wrote: >> However, I do think one way of gauging the success of JWS/JOSE is to >> measure how many implementers actually get the security details right. > >I agree with you. > >If several people got this wrong then it is a good idea to write about it. Of course, it was a bit difficult to foresee this issue at the time of writing the specification. > >At a minimum we should put a version of your article at oauth.net. > >Since the JWT spec (which you reference in your article) is still in >Auth48 state we can still add a warning remark to Section 7.2 of https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. > >Ciao >Hannes > > > >------------------------------ > >Message: 3 >Date: Thu, 02 Apr 2015 18:53:10 +0000 >From: Aaron Parecki <aaron@parecki.com> >To: Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig > <hannes.tschofenig@gmx.net>, Tim McLean <tim@timmclean.net> >Cc: "oauth@ietf.org" <oauth@ietf.org>, "jose@ietf.org" <jose@ietf.org> >Subject: Re: [OAUTH-WG] [jose] Security research on JWT > implementations >Message-ID: > <CAGBSGjrCRczgYLpARfrNsOg-G4KNCUe1DuOdmU6BRyGNLr0sTg@mail.gmail.com> >Content-Type: text/plain; charset="utf-8" > >I'm not sure what article you're referring to, but feel free to add the >article and send a pull request to oauth.net: > >https://github.com/aaronpk/oauth.net > >Here's an example of the PR for the Authentication article that Justin >added: https://github.com/aaronpk/oauth.net/pull/81 > >Aaron Parecki > > > > >On Thu, Apr 2, 2015 at 1:43 PM Mike Jones <Michael.Jones@microsoft.com> >wrote: > >> This warning is already in place in https://tools.ietf.org/html/ >> draft-ietf-oauth-json-web-token-32#section-7.2. It says: >> >> Finally, note that it is an application decision which algorithms may >> be used in a given context. Even if a JWT can be successfully >> validated, unless the algorithm(s) used in the JWT are acceptable to >> the application, it SHOULD reject the JWT. >> >> -- Mike >> >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig >> Sent: Thursday, April 02, 2015 11:28 AM >> To: Tim McLean >> Cc: oauth@ietf.org; jose@ietf.org >> Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations >> >> [[adding oauth@ietf.org]] >> >> On 04/02/2015 08:01 PM, Tim McLean wrote: >> > However, I do think one way of gauging the success of JWS/JOSE is to >> > measure how many implementers actually get the security details right. >> >> I agree with you. >> >> If several people got this wrong then it is a good idea to write about it. >> Of course, it was a bit difficult to foresee this issue at the time of >> writing the specification. >> >> At a minimum we should put a version of your article at oauth.net. >> >> Since the JWT spec (which you reference in your article) is still in >> Auth48 state we can still add a warning remark to Section 7.2 of >> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32. >> >> Ciao >> Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: <http://www.ietf.org/mail-archive/web/oauth/attachments/20150402/095ea94a/attachment.html> > >------------------------------ > >Subject: Digest Footer > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > > >------------------------------ > >End of OAuth Digest, Vol 78, Issue 1 >************************************