On Thu, Apr 2, 2015 at 11:58 AM, Sergey Beryozkin <[email protected]> wrote:
> Our library requires the verifiers initialized with the expected algo, as > opposed to supporting the provided algo property out of the box. It is an > obvious thing to have IMHO. It is not right to portrait it as a weakness of > the JWS spec... > > I also agree that 'none' can be a useful feature, not only in a trusted > channel but also as a way to use a generic JWE-JWS function where JWE > encryption only is important > > Sergey > That's the right way to do it! Unfortunately, it wasn't obvious to the majority of implementers. My point here isn't really that the spec is "wrong" -- it's a great piece of work, and I'd like to see it succeed. Technically, the libraries were vulnerable not because of a deficiency in JWS, but because they broke from spec. However, I do think one way of gauging the success of JWS/JOSE is to measure how many implementers actually get the security details right. I think the change I'm proposing could significantly improve this metric. Cheers, Tim
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
