[Openid-specs-ab] Unicode Comparison Security Issues

John Bradley jbradley at mac.com
Tue Oct 5 03:41:07 UTC 2010


How to do string comparisons seems a bit like stepping on the toes of whatever spec is using JSON Simple Sign.

Not that it is not good advice.

I think we can require that for our reserved elements like algorithm.

All of the elements are signed so I think it is more an interop issue than a security one.  If an attacker changes the element name the signature won't verify.

The real problem is the RP and issuer processing the unicode differently and the RP not finding the required element.

I would have thought though that the issue was well understood in JSON generally.  

One thing they do have that I like is a clear way of naming extension elements.

We may want to think about saying all extension elements need to be URI named to avoid collisions.   I think that is simpler than a registry.

John B.


On 2010-10-04, at 11:13 PM, Nat Sakimura wrote:

> For JSON Simple Sign, 
> 9.1.  Unicode Comparison Security Issues
> 
> that is stated in 
> 
> http://self-issued.info/docs/draft-goland-json-web-token-00.html
> 
> may be relevant. We may want to include something like that as well. 
> 
> What do you think? > John
> 
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20101004/577bd6f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20101004/577bd6f5/attachment.bin>


More information about the Openid-specs-ab mailing list