My mistake! In that case, my request is editorial, to mention that in section 2.1 where it first talks about signing algorithms.
---- Aaron Parecki aaronparecki.com @aaronpk <http://twitter.com/aaronpk> On Thu, Apr 16, 2020 at 1:12 PM Brian Campbell <bcampb...@pingidentity.com> wrote: > sec 4 does have "The resource server MUST reject any JWT in which the > value of "alg" is "none".' > > On Thu, Apr 16, 2020 at 1:09 PM Aaron Parecki <aa...@parecki.com> wrote: > >> Section 2.1 says: >> >> > Although JWT access tokens can use any signing algorithm, use of >> > asymmetric algorithms is RECOMMENDED >> >> Can this be strengthened to disallow the `none` algorithm? Something like >> adding "... and MUST NOT use the "none" algorithm". >> >> Given that the JWT BCP doesn't disallow the "none" algorithm, technically >> someone could follow both this JWT Access Token spec and the JWT BCP spec >> and end up with an implementation that allows an AS to accept JWTs with the >> "none" algorithm. >> >> ---- >> Aaron Parecki >> aaronparecki.com >> @aaronpk <http://twitter..com/aaronpk> >> >> >> >> On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef < >> rifaat.i...@gmail.com> wrote: >> >>> Hi all, >>> >>> >>> >>> This is a second working group last call for "JSON Web Token (JWT) >>> Profile for OAuth 2.0 Access Tokens". >>> >>> >>> >>> Here is the document: >>> >>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06 >>> >>> >>> >>> Please send your comments to the OAuth mailing list by April 29, 2020. >>> >>> >>> >>> Regards, >>> >>> Rifaat & Hannes >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth