Will you be in Chicago, Antonio? If so, maybe you can sit down with us and
work on advice to implementers.
Cheers,
-- Mike
-----Original Message-----
From: Antonio Sanso [mailto:asa...@adobe.com]
Sent: Wednesday, March 15, 2017 1:40 PM
To: Mike Jones <michael.jo...@microsoft.com>
Cc: Sergey Beryozkin <sberyoz...@gmail.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] More Criticism of JOSE
hi Mike,
while I am the original author of one of the mentioned article in the blog post
(http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html)
I do not share entirely the criticism.
Said that, I must really admit that some of the cryptographic choices made
specially in JWE are really questionable.
regards
antonio
On Mar 15, 2017, at 8:50 PM, Mike Jones <michael.jo...@microsoft.com> wrote:
> The bulk of this seems to be about applications that don't verify that the
> crypto algorithms that were used in a JWT are acceptable in the application
> context. While I know that some people would like crypto to be magic pixie
> dust that you can sprinkle on an application to get crypto goodness, it will
> never be that simple. Crypto algorithms that are thought to be good today
> will be deprecated later. Apps that keep allowing them to be used will be
> vulnerable. The JOSE specs requiring that applications be aware of the
> algorithms used is a good and necessary thing for long-term security - not a
> problem with the specs.
>
> That said, of course some implementers will get things wrong. To the extent
> that we can help them understand what they actually need to do to use the
> specifications securely, we obviously should. Perhaps we should write an
> article for oauth.net talking about some of these issues? Maybe a few of us
> can get together in Chicago and work on that.
>
> I'm looking forward to seeing many of you in 1.5 weeks!
>
> -- Mike
>
> -----Original Message-----
> From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey
> Beryozkin
> Sent: Wednesday, March 15, 2017 8:46 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] More Criticism of JOSE
>
> and everyone should now start using the most secure alternative
> proposed in that very light in analysis article :-)
>
> Sergey
> On 15/03/17 15:43, Mike Schwartz wrote:
>> Sorry to be the bearer of bad news, but here's a negative review of JOSE:
>>
>> JOSE (Javascript Object Signing and Encryption) is a Bad Standard
>> That Everyone Should Avoid
>>
>> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standar
>> d
>> -that-everyone-should-avoid
>>
>>
>> - Mike
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
