<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div class="moz-cite-prefix">Am 27.10.2013 04:52, schrieb Mike
      Jones:<br>
    </div>
    <blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394377E13926@TK5EX14MBXC286.redmond.corp.microsoft.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Verdana;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">One
            possibility that comes to mind is saying that if “jti” is
            included, it signals that the JWT is single-use.  What do
            people think of that possibility?</span></p>
      </div>
    </blockquote>
    <br>
    we use "jti" that way. So I like this idea :-)<br>
    <br>
    <blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394377E13926@TK5EX14MBXC286.redmond.corp.microsoft.com"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">What
            do people expect the “normal” use of these JWTs to be?<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">                                            
                           -- Mike<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
            Brian Campbell [<a class="moz-txt-link-freetext" href="mailto:bcampbell@pingidentity.com">mailto:bcampbell@pingidentity.com</a>]
            <br>
            <b>Sent:</b> Saturday, October 26, 2013 11:56 AM<br>
            <b>To:</b> John Bradley<br>
            <b>Cc:</b> Mike Jones; <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
            <b>Subject:</b> Re: [Openid-specs-ab] "jti" claim in
            client_secret_jwt and private_key_jwt JWTs<o:p></o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div>
          <div>
            <div>
              <p class="MsoNormal" style="margin-bottom:12.0pt">Not so
                fast. The same assertion could be used multiple times
                and, because it'll have a relatively short validity
                window, it will still have significantly better security
                characteristics than a password. Which is true for both
                self-signed and 3rd party issued assertions. <o:p></o:p></p>
            </div>
            <p class="MsoNormal" style="margin-bottom:12.0pt">Yes,
              single use is better than that but enforcing single use
              places a significant operational burden on the AS. I don't
              believe the tradeoff is worth it for client auth over a
              direct TLS connection to the AS.
              <o:p></o:p></p>
          </div>
          <p class="MsoNormal">If the AS has the option of enforcing
            one-time use assertions but no way for the client to
            discover the requirement, then you'll have introp problems
            (or overly complex and probably buggy retry code on the
            client).
            <o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
          <div>
            <p class="MsoNormal">On Fri, Oct 25, 2013 at 9:25 PM, John
              Bradley <<a moz-do-not-send="true"
                href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>
              wrote:<o:p></o:p></p>
            <div>
              <div>
                <p class="MsoNormal">Self signed assertions must be
                  single use.  That is the point of using them vs a
                  password.  If you use the same assertion multiple
                  times it is a password. <o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal">There are reasons to re use a third
                  party assertion, but it has the same security as a
                  password. <br>
                  <br>
                  Sent from my iPhone<o:p></o:p></p>
              </div>
              <div>
                <div>
                  <div>
                    <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
                      On Oct 25, 2013, at 7:49 PM, Mike Jones <<a
                        moz-do-not-send="true"
                        href="mailto:Michael.Jones@microsoft.com"
                        target="_blank">Michael.Jones@microsoft.com</a>>
                      wrote:<o:p></o:p></p>
                  </div>
                  <blockquote
                    style="margin-top:5.0pt;margin-bottom:5.0pt">
                    <div>
                      <div>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The
                          spec currently says this about JWTs used for
                          client_secret_jwt and private_key_jwt:<o:p></o:p></p>
                        <p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span
style="font-family:"Verdana","sans-serif"" lang="EN">jti</span><o:p></o:p></p>
                        <p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in"><span
style="font-family:"Verdana","sans-serif"" lang="EN">REQUIRED.
                            JWT ID. A unique identifier for the token.
                            The JWT ID MAY be used by implementations
                            requiring message de-duplication for
                            one-time use assertions.
                          </span><o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Brian
                          asked us to drop the sentence “<span
                            style="font-family:"Verdana","sans-serif""
                            lang="EN">The JWT ID MAY be used by
                            implementations requiring message
                            de-duplication for one-time use assertions</span>”
                          in both cases.<o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">A
                          few questions:<o:p></o:p></p>
                        <p>1.<span style="font-size:7.0pt">       </span>Why
                          is “jti” required?<o:p></o:p></p>
                        <p>2.<span style="font-size:7.0pt">       </span>How
                          do we expect it to normally be used?<o:p></o:p></p>
                        <p>3.<span style="font-size:7.0pt">       </span>Would
                          it be typical for assertions to be for
                          one-time use in our use cases?<o:p></o:p></p>
                        <p>4.<span style="font-size:7.0pt">       </span>How
                          would a client know whether an assertion is
                          for one-time use?<o:p></o:p></p>
                        <p>5.<span style="font-size:7.0pt">       </span>Should
                          “jti” only be present if the assertion is for
                          one-time use?<o:p></o:p></p>
                        <p>6.<span style="font-size:7.0pt">       </span>Should
                          it be required at all?<o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">                                                               
                          -- Mike<o:p></o:p></p>
                        <p class="MsoNormal"
                          style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
                      </div>
                    </div>
                  </blockquote>
                </div>
              </div>
              <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                <div>
                  <p class="MsoNormal">_______________________________________________<br>
                    Openid-specs-ab mailing list<br>
                    <a moz-do-not-send="true"
                      href="mailto:Openid-specs-ab@lists.openid.net"
                      target="_blank">Openid-specs-ab@lists.openid.net</a><br>
                    <a moz-do-not-send="true"
                      href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                      target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
                </div>
              </blockquote>
            </div>
            <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
              _______________________________________________<br>
              Openid-specs-ab mailing list<br>
              <a moz-do-not-send="true"
                href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
              <a moz-do-not-send="true"
                href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
          </div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>