More on data formats

Dirkjan Ochtman dirkjan at ochtman.nl
Tue Nov 26 11:15:47 PST 2013


On Tue, Nov 26, 2013 at 6:54 PM, Chris Karlof <ckarlof at mozilla.com> wrote:
>> Discussion was mostly around the verifier being able to differentiate,
>> not as much the RP, I think. In any case, it seemed to me like people
>> were uncomfortable about distinguishing based on the issuer, and
>> therefore wanted to add the scheme to make it easier. I must say that
>> I still don't fully grasp the perceived issue here.
>
> Crypto/security future feature creep fear. :)
>
> It's nice if there is a simple explicit way of knowing how the sub field should be interpreted. sub as URI helps with that.

And you think jwt.iss == "accounts.firefox.com" isn't a good enough
test? IIUC we don't have any use case for a JWT without issuer.

Cheers,

Dirkjan



More information about the Dev-fxacct mailing list