I’m not sure I understand. If you read only the key ID from the authenticated payload in order to authenticate it, is there a problem? Or is the problem that this is error-prone to implementers? I’m no crypto expert, but I suppose I care about security more than average, and I thought it was obvious that nothing but the key ID should be used before authentication.
My interpretation is that reaching in and grabbing just one thing from the untrusted payload is bad spec design, since it means that API developers are going to want to implement grabbing any ol’ thing out of the untrusted payload.
Meanwhile I’m beginning to think you can have an implementation of jwt that is non compliant but good; like ignoring any specified algorithm, and only verifying but never encrypting.
I agree with you… but what’s the point of JWT if the only good implementations are non-compliant? I remember reading good things about paseto but I’ve never actually used it.
The point is to have a tool that can be used to track sessions without maintaining much state on the server (revocation list is an obvious but, depending on your environment, plausibly optional thing). That’s all I need.
I’m really not a fan of JWT, but I have questions here. X.509 certificates also have an issuer field that is part of the signed data even though it doesn’t strictly need to be. Would X.509 be better if we stopped signing the issuer?
It has some of the other problems that have gotten JWT in trouble, too: certificates identify their own issuer, leaving it to the application to decide whether that issuer is acceptable, and their own signature algorithm.
Of course X.509 is much more tightly specified, and includes a standard way for issuer certificates to identify what kind of key they have. It also doesn’t mix asymmetric and symmetric cryptosystems. But I wonder if the main reason we consider it a reasonable security standard isn’t exactly the same reason developers might prefer JWT—the bar to implement X.509 at all is so high that people aren’t tempted to roll their own.
I’m not sure I understand. If you read only the key ID from the authenticated payload in order to authenticate it, is there a problem? Or is the problem that this is error-prone to implementers? I’m no crypto expert, but I suppose I care about security more than average, and I thought it was obvious that nothing but the key ID should be used before authentication.
My interpretation is that reaching in and grabbing just one thing from the untrusted payload is bad spec design, since it means that API developers are going to want to implement grabbing any ol’ thing out of the untrusted payload.
(Facetiously) I’m beginning to think JWT is bad?
Meanwhile I’m beginning to think you can have an implementation of jwt that is non compliant but good; like ignoring any specified algorithm, and only verifying but never encrypting.
I agree with you… but what’s the point of JWT if the only good implementations are non-compliant? I remember reading good things about paseto but I’ve never actually used it.
The point is to have a tool that can be used to track sessions without maintaining much state on the server (revocation list is an obvious but, depending on your environment, plausibly optional thing). That’s all I need.
I’m really not a fan of JWT, but I have questions here. X.509 certificates also have an issuer field that is part of the signed data even though it doesn’t strictly need to be. Would X.509 be better if we stopped signing the issuer?
It has some of the other problems that have gotten JWT in trouble, too: certificates identify their own issuer, leaving it to the application to decide whether that issuer is acceptable, and their own signature algorithm.
Of course X.509 is much more tightly specified, and includes a standard way for issuer certificates to identify what kind of key they have. It also doesn’t mix asymmetric and symmetric cryptosystems. But I wonder if the main reason we consider it a reasonable security standard isn’t exactly the same reason developers might prefer JWT—the bar to implement X.509 at all is so high that people aren’t tempted to roll their own.