that’s an
> application bug – not a spec bug.
>
> ** **
>
> -- Mike
>
> ** **
>
> *From:* Richard Barnes [mailto:r...@ipv.sx]
> *Sent:* Thursday, August 01, 2013 5:24 AM
> *To:* Mike Jones
> *Cc:* oauth@ietf.
-- Mike
From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>
[mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of
Richard Barnes
Sent: Thursday, August 01, 2013 5:08 AM
To: oauth@ietf.org<mailto:oa
-- Mike
>
> ** **
>
> *From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf
> Of *Richard Barnes
> *Sent:* Thursday, August 01, 2013 5:08 AM
> *To:* oauth@ietf.org WG
> *Subject:* [OAUTH-WG] Plaint
elling reason to change it at this point.
-- Mike
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
Richard Barnes
Sent: Thursday, August 01, 2013 5:08 AM
To: oauth@ietf.org WG
Subject: [OAUTH-WG] Plaintext JWT bug
It has come to my attention that JWT is using "a
It has come to my attention that JWT is using "alg":"none" to create
"Plaintext JWTs". Some of us in JOSE believe that this "alg" value should
be removed, because of a risk of downgrade attacks. In order to do that, a
suggested revision to JWT is below. To summarize:
-- Plaintext JWTs are not JW
