[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Brian Campbell bcampbell at pingidentity.com
Sat Oct 26 18:56:23 UTC 2013


Not so fast. The same assertion could be used multiple times and, because
it'll have a relatively short validity window, it will still have
significantly better security characteristics than a password. Which is
true for both self-signed and 3rd party issued assertions.

Yes, single use is better than that but enforcing single use places a
significant operational burden on the AS. I don't believe the tradeoff is
worth it for client auth over a direct TLS connection to the AS.

If the AS has the option of enforcing one-time use assertions but no way
for the client to discover the requirement, then you'll have introp
problems (or overly complex and probably buggy retry code on the client).


On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Self signed assertions must be single use.  That is the point of using
> them vs a password.  If you use the same assertion multiple times it is a
> password.
>
> There are reasons to re use a third party assertion, but it has the same
> security as a password.
>
> Sent from my iPhone
>
> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>  The spec currently says this about JWTs used for client_secret_jwt and
> private_key_jwt:****
>
> jti****
>
> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be
> used by implementations requiring message de-duplication for one-time use
> assertions. ****
>
> ** **
>
> Brian asked us to drop the sentence “The JWT ID MAY be used by
> implementations requiring message de-duplication for one-time use assertions”
> in both cases.****
>
> ** **
>
> A few questions:****
>
> 1.       Why is “jti” required?****
>
> 2.       How do we expect it to normally be used?****
>
> 3.       Would it be typical for assertions to be for one-time use in our
> use cases?****
>
> 4.       How would a client know whether an assertion is for one-time use?
> ****
>
> 5.       Should “jti” only be present if the assertion is for one-time
> use?****
>
> 6.       Should it be required at all?****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131026/4af857bc/attachment.html>


More information about the Openid-specs-ab mailing list