Re: [OAUTH-WG] More Criticism of JOSE
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 15 March 2017 15:46 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23951316B0 for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 08:46:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnHQZ1Y_Ol7a for <oauth@ietfa.amsl.com>; Wed, 15 Mar 2017 08:46:26 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3661316B6 for <oauth@ietf.org>; Wed, 15 Mar 2017 08:46:25 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id n11so26371593wma.0 for <oauth@ietf.org>; Wed, 15 Mar 2017 08:46:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=WfEnqmCseSuUxJR63DPYCsypKMe4qNoSd4a/5e4Vp/M=; b=qkh+9iPvxUZQayx+lvJDFjx0jefUnh0I4hWTqvhYHTAliQhcYA+xeBTRPMLbftPjUa t+bw2/nqN7H8kCSfdCtQFfmBnBugaK67QXtJFu/8UYxpBqMpknJkBo9yfRVA46iDmL/A x5B8oD9/XpqXQd6xneaQH8Q4Ba6+Ifz+ks13j6RQ4Jz2CQXoyEGesrriwvUHvqKFUyMc HjVOeGhnCJZ/5Vt5yiUwuRVKIBCroB46EnZLNNx3lA6hMV7N81SHfSQAQCT1yPg66hyc DHXMwEiZULFoWPHn+ULylv7x3BhvQ1twdicDhJCHmgn4x5yDiqP9kS+6D5HYbVTHNE6c CJQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=WfEnqmCseSuUxJR63DPYCsypKMe4qNoSd4a/5e4Vp/M=; b=M86Ezd4sVit9f/JjAOvBHaRvQxaLB+O5C0LxCQvp1ReQhfVESMwt6O4HzfJXrl88Zh 7P9T1COgege6Ds9hft8dVwtBXFREd0EJu2ao4AZ3soJXFjsfZyupdL2VSQ/sMQm/etQI IxiqrGigQHFPl0kvFZrQMbTCTPPiEwqxQT46I3+0RXPLyknkeFRUex+wUpUHZQy9NmdL ZM+aaPpugPKFiXM3CJeaUfal8XK3pIQJ74uoghsNGq6qE+hJZwhY5pshZ9oehxRVDl8L JlT3LQMSErSivSdHF9PfCOXHjcR2RREAX4e/sf+FzHzSCcepl+u9s57Vguv56UzR4YG6 muOw==
X-Gm-Message-State: AFeK/H3ragEbV//KJUhFTXlsoz17jw1g0n9coUi0tcIgrHmPrhHdWn3YWG6oEKUMaMCqGA==
X-Received: by 10.28.199.132 with SMTP id x126mr4771820wmf.37.1489592783697; Wed, 15 Mar 2017 08:46:23 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id 198sm946012wmn.11.2017.03.15.08.46.22 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Mar 2017 08:46:22 -0700 (PDT)
To: oauth@ietf.org
References: <mailman.539.1489455092.6649.oauth@ietf.org> <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <814591e4-c21a-451b-cce9-e4f158f07c2e@gmail.com>
Date: Wed, 15 Mar 2017 15:46:22 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <de3bdfc3f87fad59432f85f75db3d6b4@gluu.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ttfuyXZH2Mcfim06NboWw8iuY0w>
Subject: Re: [OAUTH-WG] More Criticism of JOSE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Mar 2017 15:46:28 -0000
and everyone should now start using the most secure alternative proposed in that very light in analysis article :-) Sergey On 15/03/17 15:43, Mike Schwartz wrote: > Sorry to be the bearer of bad news, but here's a negative review of JOSE: > > JOSE (Javascript Object Signing and Encryption) is a Bad Standard That > Everyone Should Avoid > > https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid > > > - Mike > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] More Criticism of JOSE Mike Schwartz
- Re: [OAUTH-WG] More Criticism of JOSE Sergey Beryozkin
- Re: [OAUTH-WG] More Criticism of JOSE Mike Jones
- Re: [OAUTH-WG] More Criticism of JOSE Antonio Sanso
- Re: [OAUTH-WG] More Criticism of JOSE Mike Jones
- Re: [OAUTH-WG] More Criticism of JOSE Carsten Bormann
- Re: [OAUTH-WG] More Criticism of JOSE Antonio Sanso
- Re: [OAUTH-WG] More Criticism of JOSE Mike Jones