More on data formats
dirkjan at ochtman.nl
Tue Nov 26 11:15:47 PST 2013
On Tue, Nov 26, 2013 at 6:54 PM, Chris Karlof <ckarlof at mozilla.com> wrote:
>> Discussion was mostly around the verifier being able to differentiate,
>> not as much the RP, I think. In any case, it seemed to me like people
>> were uncomfortable about distinguishing based on the issuer, and
>> therefore wanted to add the scheme to make it easier. I must say that
>> I still don't fully grasp the perceived issue here.
> Crypto/security future feature creep fear. :)
> It's nice if there is a simple explicit way of knowing how the sub field should be interpreted. sub as URI helps with that.
And you think jwt.iss == "accounts.firefox.com" isn't a good enough
test? IIUC we don't have any use case for a JWT without issuer.
More information about the Dev-fxacct