[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Brian Campbell bcampbell at pingidentity.com
Sat Oct 26 19:46:52 UTC 2013


If you really want to keep the ability to de-dupe on the AS side, then
either the AS needs to be able to publish that it does so (which I think is
overkill) or add something that says that the client must use a unique
assertion on every request.


On Sat, Oct 26, 2013 at 12:56 PM, Brian Campbell <bcampbell at pingidentity.com
> wrote:

> Not so fast. The same assertion could be used multiple times and, because
> it'll have a relatively short validity window, it will still have
> significantly better security characteristics than a password. Which is
> true for both self-signed and 3rd party issued assertions.
>
> Yes, single use is better than that but enforcing single use places a
> significant operational burden on the AS. I don't believe the tradeoff is
> worth it for client auth over a direct TLS connection to the AS.
>
> If the AS has the option of enforcing one-time use assertions but no way
> for the client to discover the requirement, then you'll have introp
> problems (or overly complex and probably buggy retry code on the client).
>
>
> On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>> Self signed assertions must be single use.  That is the point of using
>> them vs a password.  If you use the same assertion multiple times it is a
>> password.
>>
>> There are reasons to re use a third party assertion, but it has the same
>> security as a password.
>>
>> Sent from my iPhone
>>
>> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com>
>> wrote:
>>
>>  The spec currently says this about JWTs used for client_secret_jwt and
>> private_key_jwt:****
>>
>> jti****
>>
>> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be
>> used by implementations requiring message de-duplication for one-time use
>> assertions. ****
>>
>> ** **
>>
>> Brian asked us to drop the sentence “The JWT ID MAY be used by
>> implementations requiring message de-duplication for one-time use assertions”
>> in both cases.****
>>
>> ** **
>>
>> A few questions:****
>>
>> 1.       Why is “jti” required?****
>>
>> 2.       How do we expect it to normally be used?****
>>
>> 3.       Would it be typical for assertions to be for one-time use in
>> our use cases?****
>>
>> 4.       How would a client know whether an assertion is for one-time
>> use?****
>>
>> 5.       Should “jti” only be present if the assertion is for one-time
>> use?****
>>
>> 6.       Should it be required at all?****
>>
>> ** **
>>
>>                                                                 -- Mike**
>> **
>>
>> ** **
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131026/1fb413e1/attachment.html>


More information about the Openid-specs-ab mailing list