The many known-to-be-weak-or-compromised algos that are allowed is commonly cited as a weakness of JWT. I suggest we define a limited profile that are allowed in our use case.
This is explicitly allowed by RFC 7519 in the steps for validating a JWT:
> 5. Verify that the resulting JOSE Header includes only parameters
and values whose syntax and semantics are both understood and
supported or that are specified as being ignored when not
understood.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webpayments-crypto/issues/2#issuecomment-365869737
Received on Thursday, 15 February 2018 09:26:10 UTC