More on data formats
ckarlof at mozilla.com
Tue Nov 26 12:08:28 PST 2013
On Nov 26, 2013, at 11:15 AM, Dirkjan Ochtman <dirkjan at ochtman.nl> wrote:
> On Tue, Nov 26, 2013 at 6:54 PM, Chris Karlof <ckarlof at mozilla.com> wrote:
>>> Discussion was mostly around the verifier being able to differentiate,
>>> not as much the RP, I think. In any case, it seemed to me like people
>>> were uncomfortable about distinguishing based on the issuer, and
>>> therefore wanted to add the scheme to make it easier. I must say that
>>> I still don't fully grasp the perceived issue here.
>> Crypto/security future feature creep fear. :)
>> It's nice if there is a simple explicit way of knowing how the sub field should be interpreted. sub as URI helps with that.
> And you think jwt.iss == "accounts.firefox.com" isn't a good enough
> test? IIUC we don't have any use case for a JWT without issuer.
IMO, your proposal is reasonable for the current use cases.
People in my security/crypto world generally assume they can't predict future use cases and the resulting possible confusion, and take every opportunity to make things as explicit as possible. This can create extra verbosity that never delivers measurable value, so yeah, it's not free.
FWIW, I'm neutral on the string vs URI for sub. I anticipate certificates and assertions will be opaque to RPs for the foreseeable future (i.e., most RPs will just use our verifier service), so we'd bear most of the burden of these tradeoffs anyway.
I encourage warner to weigh in here.
More information about the Dev-fxacct