Why You Don't Want Javascript Object Signing and Encryption

Thanks to Melvin for spotting this article, which underscores the
decision we made long ago to avoid some of the hairier bits of JOSE.

Summary:

* Don't use JWT for session management
* The JWS standard is completely broken, and total RFC compliance
  renders your applications vulnerable
* The JWE standard is a minefield that non-cryptographers shouldn't be
  forced to navigate
* JOSE is a needlessly complex suite of standards with security deficits
  baked in

More here:

https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

We wrote about some of these issues (and a few more) over four years ago:

http://manu.sporny.org/2013/lds-vs-jose/

... which is why Linked Data Signatures exists:

https://w3c-dvcg.github.io/ld-signatures/

Just a few data points for those new to the community.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The State of W3C Web Payments in 2017
http://manu.sporny.org/2017/w3c-web-payments/

Received on Sunday, 21 January 2018 13:46:06 UTC