[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs
Torsten Lodderstedt
torsten at lodderstedt.net
Sun Oct 27 14:44:37 UTC 2013
Am 27.10.2013 04:52, schrieb Mike Jones:
>
> One possibility that comes to mind is saying that if "jti" is
> included, it signals that the JWT is single-use. What do people think
> of that possibility?
>
we use "jti" that way. So I like this idea :-)
> What do people expect the "normal" use of these JWTs to be?
>
> -- Mike
>
> *From:*Brian Campbell [mailto:bcampbell at pingidentity.com]
> *Sent:* Saturday, October 26, 2013 11:56 AM
> *To:* John Bradley
> *Cc:* Mike Jones; openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] "jti" claim in client_secret_jwt and
> private_key_jwt JWTs
>
> Not so fast. The same assertion could be used multiple times and,
> because it'll have a relatively short validity window, it will still
> have significantly better security characteristics than a password.
> Which is true for both self-signed and 3rd party issued assertions.
>
> Yes, single use is better than that but enforcing single use places a
> significant operational burden on the AS. I don't believe the tradeoff
> is worth it for client auth over a direct TLS connection to the AS.
>
> If the AS has the option of enforcing one-time use assertions but no
> way for the client to discover the requirement, then you'll have
> introp problems (or overly complex and probably buggy retry code on
> the client).
>
> On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com
> <mailto:ve7jtb at ve7jtb.com>> wrote:
>
> Self signed assertions must be single use. That is the point of using
> them vs a password. If you use the same assertion multiple times it
> is a password.
>
> There are reasons to re use a third party assertion, but it has the
> same security as a password.
>
> Sent from my iPhone
>
>
> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
> The spec currently says this about JWTs used for client_secret_jwt
> and private_key_jwt:
>
> jti
>
> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID
> MAY be used by implementations requiring message de-duplication
> for one-time use assertions.
>
> Brian asked us to drop the sentence "The JWT ID MAY be used by
> implementations requiring message de-duplication for one-time use
> assertions" in both cases.
>
> A few questions:
>
> 1.Why is "jti" required?
>
> 2.How do we expect it to normally be used?
>
> 3.Would it be typical for assertions to be for one-time use in our
> use cases?
>
> 4.How would a client know whether an assertion is for one-time use?
>
> 5.Should "jti" only be present if the assertion is for one-time use?
>
> 6.Should it be required at all?
>
> -- Mike
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131027/d6e62a7b/attachment.html>
More information about the Openid-specs-ab
mailing list