From: Bill B. <bb...@re...> - 2013-07-02 13:23:10
|
You want timestamp and exp in the JWS? IMO, this is not needed, its up to the entity embedded/encoded in the JWS to provide this information. On 7/2/2013 5:07 AM, Bruno Oliveira wrote: > Just correcting myself into the previous e-mail. I was talking about JWS > and iat is not necessary. > > iat and exp was already implemented into JsonWebToken class, sorry. > > Bruno Oliveira wrote: >> Good morning everyone. >> >> I've been working to include security on AeroGear and make use of >> RESTEasy, to be more specific I would like to include JWT/JWS support, >> the API is pretty straightforward and I think is a good fit for mobile. >> >> Before move forward on AeroGear I'd like to suggest (implement if you >> guys agree) the inclusion two new attributes: >> >> - iat: claim identifies the time at which the JWT was issued. This claim >> can be used to determine the age of the JWT. Its value MUST be a number >> containing an IntDate value >> >> - exp: claim identifies the expiration time on or after which the JWT >> MUST NOT be accepted for processing. The processing of the exp claim >> requires that the current date/time MUST be before the expiration >> date/time listed in the exp claim. Implementers MAY provide for some >> small leeway, usually no more than a few minutes, to account for clock >> skew. Its value MUST be a number containing an IntDate value. >> >> This is important, because I wouldn't like to trust on SSL/TLS only. If >> for some reason this layer is broken (wrong configuration, lack of >> understanding from some developers) , would be nice to have an >> additional layer of security (it won't solve all the problems, but might >> help). >> >> What do you guys think? Makes sense? >> > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com |