Re: [OAUTH-WG] More Criticism of JOSE

2017-03-16 Thread Mike Jones
;; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] More Criticism of JOSE hi Mike On Mar 15, 2017, at 10:06 PM, Mike Jones wrote: > Will you be in Chicago, Antonio? If so, maybe you can sit down with us and > work on advice to implementers. Unluckily not. FWIW I wi

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-16 Thread Antonio Sanso
; To: Mike Jones > Cc: Sergey Beryozkin ; oauth@ietf.org > Subject: Re: [OAUTH-WG] More Criticism of JOSE > > hi Mike, > > while I am the original author of one of the mentioned article in the blog > post > (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-j

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Carsten Bormann
> On 15 Mar 2017, at 22:06, Mike Jones wrote: > > Will you be in Chicago, Antonio? If so, maybe you can sit down with us and > work on advice to implementers. And maybe we can also work out what part of that advice (and possibly which additional advice) applies to COSE. Grüße, Carsten ___

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Mike Jones
:40 PM To: Mike Jones Cc: Sergey Beryozkin ; oauth@ietf.org Subject: Re: [OAUTH-WG] More Criticism of JOSE hi Mike, while I am the original author of one of the mentioned article in the blog post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html) I do not share

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Antonio Sanso
; I'm looking forward to seeing many of you in 1.5 weeks! > > -- Mike > > -Original Message- > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Sergey Beryozkin > Sent: Wednesday, March 15, 2017 8:46 AM > To: oauth@ietf.org > Subject: Re: [OAUT

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Mike Jones
ozkin Sent: Wednesday, March 15, 2017 8:46 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] More Criticism of JOSE and everyone should now start using the most secure alternative proposed in that very light in analysis article :-) Sergey On 15/03/17 15:43, Mike Schwartz wrote: > Sorry to be the beare

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Sergey Beryozkin
and everyone should now start using the most secure alternative proposed in that very light in analysis article :-) Sergey On 15/03/17 15:43, Mike Schwartz wrote: Sorry to be the bearer of bad news, but here's a negative review of JOSE: JOSE (Javascript Object Signing and Encryption) is a Bad

[OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Mike Schwartz
Sorry to be the bearer of bad news, but here's a negative review of JOSE: JOSE (Javascript Object Signing and Encryption) is a Bad Standard That Everyone Should Avoid https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid - Mike __