AFAIK, Tim McLean was the first to bring the HMAC/RSA switching attack to the attention of JWS/JWT implementers - https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
Perhaps he should be acknowledged similar to how Antonio is for the invalid point attack? I've also provided a little (admittedly very little) review and feedback on the draft... On Wed, May 2, 2018 at 2:36 AM, Yaron Sheffer <yaronf.i...@gmail.com> wrote: > This new version should address all WGLC comments. Please let us know if > there's anything missing. > > Thanks, > Yaron > > > -------- Forwarded Message -------- > Subject: New Version Notification for draft-ietf-oauth-jwt-bcp-02.txt > Date: Wed, 02 May 2018 01:26:17 -0700 > From: internet-dra...@ietf.org > To: Michael B. Jones <m...@microsoft.com>, Yaron Sheffer < > yaronf.i...@gmail.com>, Dick Hardt <d...@amazon.com>, Michael Jones < > m...@microsoft.com> > > > A new version of I-D, draft-ietf-oauth-jwt-bcp-02.txt > has been successfully submitted by Yaron Sheffer and posted to the > IETF repository. > > Name: draft-ietf-oauth-jwt-bcp > Revision: 02 > Title: JSON Web Token Best Current Practices > Document date: 2018-05-02 > Group: oauth > Pages: 13 > URL: https://www.ietf.org/internet-drafts/draft-ietf-oauth-jwt-bcp-02.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bcp/ > Htmlized: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-02 > Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwt-bcp-02 > > Abstract: > JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security > tokens that contain a set of claims that can be signed and/or > encrypted. JWTs are being widely used and deployed as a simple > security token format in numerous protocols and applications, both in > the area of digital identity, and in other application areas. The > goal of this Best Current Practices document is to provide actionable > guidance leading to secure implementation and deployment of JWTs. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
