-
-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify 3.5.5 - split key confusion part to a separate requirement #2360
Comments
For me it is duplicated by current V3.5.5:
It went through long journy already in #2204. If it is covered already by 3.5.5, please close this issue. If there is need to improve current 3.5.5 to cover some missing aspect, then please re-open #2204 as previous discussion is held there. If there is need for a new requirement, please provide information, what makes this new proposed requirement different and unique from 3.5.5. |
This has always felt like a V6 requirement to me.
Does this apply to more than JWTs? |
We also have V3.5.3 requirement on the topic:
Direction is to have abstract requirement (not an access-token specific). If there are no new aspects from proposed new requirement, we can re-open related issues for 3.5.3 (#2184) and/or 3.5.5 (#2204 ) if needed to finetune something there. |
The suggested changed here is related to #2361 (comment). If not "split" as suggested there, V3.5.3 (and V6) covers this as it is and this can be closed. If "split", V3.5.5 could be changed as suggested here. |
Given that we decide to split (see #2361 (comment)), should we then have V3.5.3 to only address the "strong alg" part, and rewrite it like this?
or is just add "strong" and removing "key confusion" from V3.5.3 better?
|
I try to get overview of the situation. We have current requirements that are made long journey to have those wordings:
Now we have 2 issues (#2360, #2361) with titles "add new requirements" that actually going to replace/duplicate/modify current requirements. @TobiasAhnoff - can you provide reasoning, arguments, and goals for what we should achieve here? If in practice we are going to modify existing requirements, it makes sense to declare it that way and re-open previous issues for those requirements. |
@elarlang yes, some om the "add new" are modifications of existing and it it would be better to re-open those, add comments from "add new" issues and close the "add new". |
It would be helpful to have a direction to follow. At the moment it is quite messy (at least for me). There is one split proposal involved in another issue, but list here or somewhere else the set of requirements you propose with clear differences and modifications to existing requirements. |
Given #2361 (comment) "key confusion" is suggested to be slit to a new requirement and can be removed from 3.5.5. And then this issue is only to suggests a simplification of 3.5.5, to make it more clear that strong algorithms should be used and for JWTs 'None' should not be allowed, perhaps it can be like this
So the title of this issue could be changed to "modify 3.5.5" or close this and re-open a previous issue and add comment there for the suggested modification. Does that make a good summary? |
Having read through this thread and through #2361, it feels like this got a little complicated. I think we can boil this down to:
I would therefore suggest that the following modifications to 3.5.5 and 3.5.7 would close both #2360 and #2361.
I took out the symmetric/asymmetric thing because "only usable for specifically specified algorithms" should cover that. Comments @ryarmst @TobiasAhnoff @randomstuff? |
Three small comments:
|
I think it works to address both "Only use allow listed algorithms, not included None." and "Only have strong algorithms on the allow list." in V3.5.5 and have V3.5.7 to address "Only use specific trusted keys or key sources for specific algorithms." (which includes key confusion). Perhaps modify proposals in #2360 (comment), like this?
|
Looks like Tobias's updated draft covers this.
I think we could add "for this purpose" to make it clearer.
I think once we say that keys should only be usable for specific algorithms then it solves it regardless. Updated suggestions: 3.5.5 3.5.7 final comments @randomstuff @TobiasAhnoff @elarlang ? |
Add access token requirement for strong alg and "None" to mitigating risk of using weak or "none" algorithms to protect tokens
This is part of "cleaning up 3.5" see #1917 (comment)
The text was updated successfully, but these errors were encountered: