- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 21 Jan 2018 08:45:38 -0500
- To: Credentials Community Group <public-credentials@w3.org>, Verifiable Claims Working Group <public-vc-wg@w3.org>
Thanks to Melvin for spotting this article, which underscores the decision we made long ago to avoid some of the hairier bits of JOSE. Summary: * Don't use JWT for session management * The JWS standard is completely broken, and total RFC compliance renders your applications vulnerable * The JWE standard is a minefield that non-cryptographers shouldn't be forced to navigate * JOSE is a needlessly complex suite of standards with security deficits baked in More here: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid We wrote about some of these issues (and a few more) over four years ago: http://manu.sporny.org/2013/lds-vs-jose/ ... which is why Linked Data Signatures exists: https://w3c-dvcg.github.io/ld-signatures/ Just a few data points for those new to the community. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: The State of W3C Web Payments in 2017 http://manu.sporny.org/2017/w3c-web-payments/
Received on Sunday, 21 January 2018 13:46:08 UTC