Hi Brian,
These two attacks on TLS are only examples of the breakage that can
occur when the adversary can control the plaintext to some degree (even
a small piece of the plaintext, e.g. a malleable HTTP cookie can result
in decryption of the whole message). Similar attacks were demonstrated
in IPsec. Can you please add details on why typical use of JWT would not
be susceptible to these attacks?
Thanks,
Yaron
On critique of JWT I've seen a few times can be paraphrased as "JWT
supports compressed plaintext so, because of CRIME and BREACH, it is
dangerous and stupid." It's very possible that I am stupid (many on this
list will likely attest to it) but I don't see the applicability of those
kinds of chosen plaintext attacks aimed at recovering sensitive data to how
JWT/JWE are typically used.
I think it would be useful, if during the development of the JWT BCP, the
authors or chairs or WG could somehow engage some experts (CFRG?) to
understand if there's any real practical advice that can be given about
using compression with JWE and the risks involved.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth