[OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Mike Schwartz
Sorry to be the bearer of bad news, but here's a negative review of JOSE: JOSE (Javascript Object Signing and Encryption) is a Bad Standard That Everyone Should Avoid https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid - Mike __

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Sergey Beryozkin
and everyone should now start using the most secure alternative proposed in that very light in analysis article :-) Sergey On 15/03/17 15:43, Mike Schwartz wrote: Sorry to be the bearer of bad news, but here's a negative review of JOSE: JOSE (Javascript Object Signing and Encryption) is a Bad

[OAUTH-WG] Error Responses in Device Code Spec

2017-03-15 Thread Justin Richer
Unless I’m missing something, the current device code spec doesn’t specify errors from the device code endpoint, only from the token endpoint. What are people implementing in practice? We’re using token endpoint style errors (invalid_client, inavlid_grant_type, etc). — Justin _

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Mike Jones
The bulk of this seems to be about applications that don't verify that the crypto algorithms that were used in a JWT are acceptable in the application context. While I know that some people would like crypto to be magic pixie dust that you can sprinkle on an application to get crypto goodness,

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Antonio Sanso
hi Mike, while I am the original author of one of the mentioned article in the blog post (http://blog.intothesymmetry.com/2017/03/critical-vulnerability-in-json-web.html) I do not share entirely the criticism. Said that, I must really admit that some of the cryptographic choices made specially

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Mike Jones
Will you be in Chicago, Antonio? If so, maybe you can sit down with us and work on advice to implementers. Cheers, -- Mike -Original Message- From: Antonio Sanso [mailto:asa...@adobe.com] Sent: Wednesday, March 15, 2017 1:

Re: [OAUTH-WG] More Criticism of JOSE

2017-03-15 Thread Carsten Bormann
> On 15 Mar 2017, at 22:06, Mike Jones wrote: > > Will you be in Chicago, Antonio? If so, maybe you can sit down with us and > work on advice to implementers. And maybe we can also work out what part of that advice (and possibly which additional advice) applies to COSE. Grüße, Carsten ___

Re: [OAUTH-WG] Device Code expiration and syntax

2017-03-15 Thread John Bradley
I think response mode is only needed if you are overloading a existing authorization endpoint. URI are cheep so I don’t see the value. > On Mar 13, 2017, at 8:47 AM, Brian Campbell > wrote: > > > > On Sat, Mar 11, 2017 at 1:54 PM, William Denniss > wrote: > >