Re: [OAUTH-WG] More Criticism of JOSE

Wed, 15 Mar 2017 12:50:53 -0700 

The bulk of this seems to be about applications that don't verify that the 
crypto algorithms that were used in a JWT are acceptable in the application 
context.  While I know that some people would like crypto to be magic pixie 
dust that you can sprinkle on an application to get crypto goodness, it will 
never be that simple.  Crypto algorithms that are thought to be good today will 
be deprecated later.  Apps that keep allowing them to be used will be 
vulnerable.  The JOSE specs requiring that applications be aware of the 
algorithms used is a good and necessary thing for long-term security - not a 
problem with the specs.

That said, of course some implementers will get things wrong.  To the extent 
that we can help them understand what they actually need to do to use the 
specifications securely, we obviously should.  Perhaps we should write an 
article for oauth.net talking about some of these issues?  Maybe a few of us 
can get together in Chicago and work on that.

I'm looking forward to seeing many of you in 1.5 weeks!

                                -- Mike

-----Original Message-----
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin
Sent: Wednesday, March 15, 2017 8:46 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] More Criticism of JOSE

and everyone should now start using the most secure alternative proposed in 
that very light in analysis article :-)

Sergey
On 15/03/17 15:43, Mike Schwartz wrote:
> Sorry to be the bearer of bad news, but here's a negative review of JOSE:
>
> JOSE (Javascript Object Signing and Encryption) is a Bad Standard That 
> Everyone Should Avoid
>
> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard
> -that-everyone-should-avoid
>
>
> - Mike
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to