[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Mike Jones Michael.Jones at microsoft.com
Sun Oct 27 03:52:12 UTC 2013


One possibility that comes to mind is saying that if "jti" is included, it signals that the JWT is single-use.  What do people think of that possibility?

What do people expect the "normal" use of these JWTs to be?

                                                            -- Mike

From: Brian Campbell [mailto:bcampbell at pingidentity.com]
Sent: Saturday, October 26, 2013 11:56 AM
To: John Bradley
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Not so fast. The same assertion could be used multiple times and, because it'll have a relatively short validity window, it will still have significantly better security characteristics than a password. Which is true for both self-signed and 3rd party issued assertions.
Yes, single use is better than that but enforcing single use places a significant operational burden on the AS. I don't believe the tradeoff is worth it for client auth over a direct TLS connection to the AS.
If the AS has the option of enforcing one-time use assertions but no way for the client to discover the requirement, then you'll have introp problems (or overly complex and probably buggy retry code on the client).

On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>> wrote:
Self signed assertions must be single use.  That is the point of using them vs a password.  If you use the same assertion multiple times it is a password.

There are reasons to re use a third party assertion, but it has the same security as a password.

Sent from my iPhone

On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:
jti
REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.

Brian asked us to drop the sentence "The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions" in both cases.

A few questions:

1.       Why is "jti" required?

2.       How do we expect it to normally be used?

3.       Would it be typical for assertions to be for one-time use in our use cases?

4.       How would a client know whether an assertion is for one-time use?

5.       Should "jti" only be present if the assertion is for one-time use?

6.       Should it be required at all?

                                                                -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131027/d5bc936c/attachment-0001.html>


More information about the Openid-specs-ab mailing list