<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">In am OK with that. If that is the case we should say something about exp not being set more than 12h (or some reasonable value other wise people will set it for a year) into the future if jti is not sent.<div><br></div><div>John B.<br><div><div>On Oct 27, 2013, at 12:52 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div class="WordSection1" style="page: WordSection1;"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">One possibility that comes to mind is saying that if “jti” is included, it signals that the JWT is single-use. What do people think of that possibility?<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);">What do people expect the “normal” use of these JWTs to be?<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> -- Mike<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);"> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;"><span class="Apple-converted-space"> </span>Brian Campbell [<a href="mailto:bcampbell@pingidentity.com">mailto:bcampbell@pingidentity.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Saturday, October 26, 2013 11:56 AM<br><b>To:</b><span class="Apple-converted-space"> </span>John Bradley<br><b>Cc:</b><span class="Apple-converted-space"> </span>Mike Jones; <a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] "jti" claim in client_secret_jwt and private_key_jwt JWTs<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><o:p> </o:p></div><div><div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;">Not so fast. The same assertion could be used multiple times and, because it'll have a relatively short validity window, it will still have significantly better security characteristics than a password. Which is true for both self-signed and 3rd party issued assertions.<o:p></o:p></p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;">Yes, single use is better than that but enforcing single use places a significant operational burden on the AS. I don't believe the tradeoff is worth it for client auth over a direct TLS connection to the AS.<o:p></o:p></p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">If the AS has the option of enforcing one-time use assertions but no way for the client to discover the requirement, then you'll have introp problems (or overly complex and probably buggy retry code on the client).<o:p></o:p></div></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><o:p> </o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">On Fri, Oct 25, 2013 at 9:25 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: purple; text-decoration: underline;">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">Self signed assertions must be single use. That is the point of using them vs a password. If you use the same assertion multiple times it is a password. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">There are reasons to re use a third party assertion, but it has the same security as a password. <br><br>Sent from my iPhone<o:p></o:p></div></div><div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><br>On Oct 25, 2013, at 7:49 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline;">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">The spec currently says this about JWTs used for client_secret_jwt and private_key_jwt:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 12pt; font-family: 'Times New Roman', serif;"><span lang="EN" style="font-family: Verdana, sans-serif;">jti</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt 1in; font-size: 12pt; font-family: 'Times New Roman', serif;"><span lang="EN" style="font-family: Verdana, sans-serif;">REQUIRED. JWT ID. A unique identifier for the token. The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions.</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">Brian asked us to drop the sentence “<span lang="EN" style="font-family: Verdana, sans-serif;">The JWT ID MAY be used by implementations requiring message de-duplication for one-time use assertions</span>” in both cases.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">A few questions:<o:p></o:p></div><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;">1.<span style="font-size: 7pt;"> <span class="Apple-converted-space"> </span></span>Why is “jti” required?<o:p></o:p></p><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;">2.<span style="font-size: 7pt;"> <span class="Apple-converted-space"> </span></span>How do we expect it to normally be used?<o:p></o:p></p><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;">3.<span style="font-size: 7pt;"> <span class="Apple-converted-space"> </span></span>Would it be typical for assertions to be for one-time use in our use cases?<o:p></o:p></p><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;">4.<span style="font-size: 7pt;"> <span class="Apple-converted-space"> </span></span>How would a client know whether an assertion is for one-time use?<o:p></o:p></p><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;">5.<span style="font-size: 7pt;"> <span class="Apple-converted-space"> </span></span>Should “jti” only be present if the assertion is for one-time use?<o:p></o:p></p><p style="margin-right: 0in; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif;">6.<span style="font-size: 7pt;"> <span class="Apple-converted-space"> </span></span>Should it be required at all?<o:p></o:p></p><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"> -- Mike<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;"> <o:p></o:p></div></blockquote></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline;">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></div></blockquote></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif;"><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline;">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline;">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></p></div></div></div></div></blockquote></div><br></div></body></html>