[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

Torsten Lodderstedt torsten at lodderstedt.net
Sun Oct 27 14:44:37 UTC 2013



Am 27.10.2013 04:52, schrieb Mike Jones:
>
> One possibility that comes to mind is saying that if "jti" is 
> included, it signals that the JWT is single-use.  What do people think 
> of that possibility?
>

we use "jti" that way. So I like this idea :-)

> What do people expect the "normal" use of these JWTs to be?
>
>                -- Mike
>
> *From:*Brian Campbell [mailto:bcampbell at pingidentity.com]
> *Sent:* Saturday, October 26, 2013 11:56 AM
> *To:* John Bradley
> *Cc:* Mike Jones; openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] "jti" claim in client_secret_jwt and 
> private_key_jwt JWTs
>
> Not so fast. The same assertion could be used multiple times and, 
> because it'll have a relatively short validity window, it will still 
> have significantly better security characteristics than a password. 
> Which is true for both self-signed and 3rd party issued assertions.
>
> Yes, single use is better than that but enforcing single use places a 
> significant operational burden on the AS. I don't believe the tradeoff 
> is worth it for client auth over a direct TLS connection to the AS.
>
> If the AS has the option of enforcing one-time use assertions but no 
> way for the client to discover the requirement, then you'll have 
> introp problems (or overly complex and probably buggy retry code on 
> the client).
>
> On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com 
> <mailto:ve7jtb at ve7jtb.com>> wrote:
>
> Self signed assertions must be single use.  That is the point of using 
> them vs a password.  If you use the same assertion multiple times it 
> is a password.
>
> There are reasons to re use a third party assertion, but it has the 
> same security as a password.
>
> Sent from my iPhone
>
>
> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
>     The spec currently says this about JWTs used for client_secret_jwt
>     and private_key_jwt:
>
>     jti
>
>     REQUIRED. JWT ID. A unique identifier for the token. The JWT ID
>     MAY be used by implementations requiring message de-duplication
>     for one-time use assertions.
>
>     Brian asked us to drop the sentence "The JWT ID MAY be used by
>     implementations requiring message de-duplication for one-time use
>     assertions" in both cases.
>
>     A few questions:
>
>     1.Why is "jti" required?
>
>     2.How do we expect it to normally be used?
>
>     3.Would it be typical for assertions to be for one-time use in our
>     use cases?
>
>     4.How would a client know whether an assertion is for one-time use?
>
>     5.Should "jti" only be present if the assertion is for one-time use?
>
>     6.Should it be required at all?
>
>     -- Mike
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131027/d6e62a7b/attachment.html>


More information about the Openid-specs-ab mailing list