| ▲ | cryptonector 2 months ago | |||||||
> JSON Web Signatures are a gnarly format They are?? As someone who wallows in ASN.1, Kerberos, and PKI, I don't find JWS so "gnarly". Even if you're open-coding a JSON Web Signature it will be easier than to open-code S/MIME, CMS, Kerberos, etc. Can you explain what is so gnarly about JWS? Mind you, there are problems with JWT. Mainly that HTTP user-agents don't know how to fetch the darned things because there is not standard for how to find out how to fetch the darned things, when you should honor a request for them, etc. | ||||||||
| ▲ | mcpherrinm 2 months ago | parent | next [-] | |||||||
I'd take ASN.1/DER over JWS any day :) It's the weekend and I don't feel I have the energy to launch a full roast of JWS, but to give some flavour, I'll link https://auth0.com/blog/critical-vulnerabilities-in-json-web-... Implementations can be written securely, but it's too easy to make mistakes. Yeah, there's worse stuff from the 90s around, but JOSE and ACME is newer than that - we could have done better! Alas, it's not changing now. I think ASN.1 has some warts, but I think a lot of the problems with DER are actually in creaky old tools. People seem way happier with Protobuf, for example: I think that's largely down to tooling. | ||||||||
| ||||||||
| ▲ | asimops 2 months ago | parent | prev [-] | |||||||
Don't you think you are falling for classic whataboutism here? Just because ASN.1 and friends are exceptionally bad, it does not mean that Json Web * cannot be bad also. | ||||||||
| ||||||||