> What you get is that the peer can't forge tokens. But you're trying to authent... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		zeveb on Jan 4, 2018 \| parent \| context \| favorite \| on: Show HN: PAST, a secure alternative to JWT > What you get is that the peer can't forge tokens. But you're trying to authenticate to them; they already have full authority. So what are you fixing? (I'm not saying it's "nothing", but I am saying it's very little, and it's definitely plausible the increased risk isn't worth it.) You get something you can show to a third party: 'see, the bank said their client was good for $10,000!' I can see where that might be useful.

lvh on Jan 4, 2018 | [–]

I don't think I could've made my own point this elegantly. Eventually trying to disprove what the other party is saying is literally the opposite of what normal token schemes (say, SAML or OIDC JWT) is trying to accomplish: trying to establish what the other party is claiming.

tptacek on Jan 4, 2018 | [–]

This feels like grasping at straws.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact