[Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs

John Bradley ve7jtb at ve7jtb.com
Sun Oct 27 23:57:59 UTC 2013


In am OK with that.    If that is the case we should say something about exp not being set more than 12h (or some reasonable value other wise people will set it for a year) into the future if jti is not sent.

John B.
On Oct 27, 2013, at 12:52 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> One possibility that comes to mind is saying that if “jti” is included, it signals that the JWT is single-use.  What do people think of that possibility?
>  
> What do people expect the “normal” use of these JWTs to be?
>  
>                                                             -- Mike
>  
> From: Brian Campbell [mailto:bcampbell at pingidentity.com] 
> Sent: Saturday, October 26, 2013 11:56 AM
> To: John Bradley
> Cc: Mike Jones; openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs
>  
> Not so fast. The same assertion could be used multiple times and, because it'll have a relatively short validity window, it will still have significantly better security characteristics than a password. Which is true for both self-signed and 3rd party issued assertions.
> 
> Yes, single use is better than that but enforcing single use places a significant operational burden on the AS. I don't believe the tradeoff is worth it for client auth over a direct TLS connection to the AS.
> 
> If the AS has the option of enforcing one-time use assertions but no way for the client to discover the requirement, then you'll have introp problems (or overly complex and probably buggy retry code on the client).
>  
> 
> On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Self signed assertions must be single use.  That is the point of using them vs a password.  If you use the same assertion multiple times it is a password. 
>  
> There are reasons to re use a third party assertion, but it has the same security as a password. 
> 
> Sent from my iPhone
> 
> On Oct 25, 2013, at 7:49 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> 
> The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:
> jti
> REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.
>  
> Brian asked us to drop the sentence “The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions” in both cases.
>  
> A few questions:
> 1.       Why is “jti” required?
> 
> 2.       How do we expect it to normally be used?
> 
> 3.       Would it be typical for assertions to be for one-time use in our use cases?
> 
> 4.       How would a client know whether an assertion is for one-time use?
> 
> 5.       Should “jti” only be present if the assertion is for one-time use?
> 
> 6.       Should it be required at all?
> 
>  
>                                                                 -- Mike
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131027/e3d50dd9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131027/e3d50dd9/attachment.p7s>


More information about the Openid-specs-ab mailing list