JOSE (Javascript Object Signing and Encryption) is a bad standard that everyone should avoid https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid …
Parts are fallacies, like "must process" for alg header. Trivial correct processing is only accepting the value you would set.
-
-
how many developers would do it this way? Think of how much work it was to get people to care about TLS ciphers config
-
Indeed. It should be done right at the library level making it hard/impossible to do wrong without writing your own.
-
then at the library level, we need correct guidance on how to handle ambiguities in the standard. So better standards :)
- End of conversation
New conversation -
-
-
I agree it's a bad standard, but it can be implemented correctly just by not supporting bogus insecurity masq'ing as flexibility.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.