From: Bruno O. <br...@ab...> - 2013-07-10 17:36:21
|
It's ok, the argument is for scenarios where SSL is not configured and this layer just doesn't exist. Two-way SSL is a great solution if we believe that most of our devs knows how to properly configure it. Either way it's fine. Bill Burke wrote: > Why reinvent two-way SSL? Just use two-way SSL. > > On 7/2/2013 10:57 AM, Bruno Oliveira wrote: >> Hi Bill only the "exp" attribute from >> http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11 >> >> I'm not sure if makes some sense, but I would like to make use of your >> lib on the client side (Android - extracting bits or the whole jose-jwt >> module) and into the server side. >> >> Each application would have its own signature, for non repudiation >> against the server and prevent replay attacks. >> >> Makes some sense? If not it's ok, I can dig more into the API. >> >> >> Bill Burke wrote: >>> You want timestamp and exp in the JWS? IMO, this is not needed, its up >>> to the entity embedded/encoded in the JWS to provide this information. >> > -- abstractj |