[OAUTH-WG] Re: [oauth-wg/draft-ietf-oauth-rfc8725bis] JWTs issued for one individual must not be usable by another individual with a complicity between these individuals (Issue #15)

[Denis]

Hello Dick,

Why not saying what you wrote into the document ?
The threat exists (and should not be ignored). While this document 
describes implementation considerations,
the way to counter this threat is not described in this document.

Selective disclosure deployment of SD-JWTs will be insecure until / 
unless counter-measures will be taken.
These counter-measures are thus critical.

At the moment, people reading the draft might believe that following all 
these best practices will mean
a safe and secure implementation. However, this will not be the case.

Denis

PS. I switched to the mailing list as you closed the issue without 
allowing me to respond on github.

*dickhardt* left a comment (oauth-wg/draft-ietf-oauth-rfc8725bis#15) 
<https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15#issuecomment-3542433019>

@Denisthemalice <https://github.com/Denisthemalice>

Thanks for raising this. The scenario you describe is absolutely a 
real-world threat, but it results from key-management and TEE 
isolation failures, not from any behavior specific to JWTs or JOSE.

The JWT BCP focuses narrowly on how to create, validate, and use JWTs 
safely (algorithm verification, claim validation, 
confusion/substitution prevention, cryptographic parameter limits, etc.).

The TEE scenario is an operational/platform issue: multiple 
applications are allowed to use the same signing key. JWTs (or any 
other token type) cannot defend against a compromised or 
overly-permissive key environment.

Therefore this threat is out of scope for this document, and I am 
closing this issue. It is better covered by platform security 
guidance, key-attestation requirements, or the SD-JWT deployment BCP 
rather than the JWT BCP.

—
Reply to this email directly, view it on GitHub 
<https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15#issuecomment-3542433019>, 
or unsubscribe 
<https://github.com/notifications/unsubscribe-auth/AHYQLP4MNV6RBJ56UX4EWVT35HSCTAVCNFSM6AAAAACBR7BMIKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNBSGQZTGMBRHE>.
You are receiving this because you were mentioned.Message ID: 
<oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15/3542433...@github.com>

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org