From 0aa11d2c646461736117b60138bfa626b933c59f Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Fri, 20 Oct 2017 11:39:56 +0200 Subject: [PATCH] Clarify details of json-web-tokens spec Change-Id: Ia00e71d5229aaedbd97f7b33dc9308b121948d4f --- specs/keystone/backlog/json-web-tokens.rst | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/specs/keystone/backlog/json-web-tokens.rst b/specs/keystone/backlog/json-web-tokens.rst index 9393920a..307b77a9 100644 --- a/specs/keystone/backlog/json-web-tokens.rst +++ b/specs/keystone/backlog/json-web-tokens.rst @@ -106,10 +106,13 @@ Security Impact --------------- Since JWT is a widely used web standard, this will have a net positive impact -on security. Choosing to use JWE, an optional feature of the JWT spec, will -ensure that the data within the token is at least as secure as it is in fernet -tokens. These will still be bearer tokens and so interception of one must still -be guarded against. +on security. The implementation will use JWE even though it is an optional +feature of the JWT spec. While this will not protect against an attacker using +a valid token to query keystone for information about the token, it protects +against an attacker gaining information from an expired or revoked token. This +will ensure that the data within the token is at least as secure as it is in +fernet tokens. These will still be bearer tokens and so interception of one +must still be guarded against. Notifications Impact --------------------