No way JOSE! Lessons for authors and implementers of open standards
| Key | Action |
|---|---|
| K or space | Play / Pause |
| M | Mute / Unmute |
| C | Select next subtitles |
| A | Select next audio track |
| V | Show slide in full page or toggle automatic source change |
| left arrow | Seek 5s backward |
| right arrow | Seek 5s forward |
| shift + left arrow or J | Seek 10s backward |
| shift + right arrow or L | Seek 10s forward |
| control + left arrow | Seek 60s backward |
| control + right arrow | Seek 60s forward |
| shift + down arrow | Decrease volume |
| shift + up arrow | Increase volume |
| shift + comma | Decrease playback rate |
| shift + dot or shift + semicolon | Increase playback rate |
| end | Seek to end |
| beginning | Seek to beginning |
Share this media
Download links
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
Links:
Number of views:
23Creation date:
July 3, 2018Speakers:
Fraser TweedaleLicense:
CC BY-SA v4Description
Protocol and data format specifications can be ambiguous, insecure or have other problems. Programmers and users bear the brunt of these issues. Using JOSE as a case study, I’ll discuss mistakes for standards authors to avoid, and demonstrate programming techniques for mitigating some kinds of problems.
JOSE (JSON Object Signing and Encryption) is a set of IETF standards for JSON-based cryptographic objects. You might know it as JWT or JWS. It is used in OpenID Connect, ACME, and other protocols. JOSE emerged a few years ago and has been causing headaches for the presenter ever since.
Using JOSE as a case study, this presentation looks at mistakes to avoid when specifying a data format or cryptographic protocol. We’ll also explore programming techniques for mitigating some kinds of problems in specifications. In particular, we will cover:
- the flawed rationale for the JOSE working group
- why JSON is a poor wire format for cryptographic objects
- cryptography issues in the JOSE specifications
- ambiguities and interoperability problems in the specifications
- common vulnerabilities in JOSE libraries
- how library authors can encourage or enforce safe use
- advice for standards authors or working groups
Each topic will culminate in one simple, actionable takeaway.
Programming principles and techniques will be demonstrated using Haskell and its joselibrary, which is maintained by the presenter.
Fraser Tweedale
Fraser works at Red Hat on the FreeIPA identity management system and Dogtag Certificate System. He’s interested in security, cryptography and functional programming. Jalapeño aficionado from the land Down Under.
Other media in the channel "2018"
110 views, 8 this year, 1 this monthGlassfish from (IN)Secure adminJuly 6th, 2018
160 views, 3 this yearShadow on the Wall - Risks and Flaws with ShadowsocksJuly 6th, 2018
57 views, 3 this yearOpen Hardware for (software) offensive securityJuly 6th, 2018
48 views, 4 this yearFreedom Fighting Mode - Open Source Hacking HarnessJuly 6th, 2018
76 views, 1 this yearExpl-iot: IoT Security Testing FrameworkJuly 6th, 2018
23 viewsIo(M)T Security: A year in reviewJuly 6th, 2018