0010101: JWT security issue

10000-006: Mappings
- - All Projects
  - .NET API
  - Certification
  - Compliance Test Tool (CTT) COM Classic
  - Compliance Test Tool (CTT) Unified Architecture
  - CTT UA Binary
  - CTT UA Help
  - CTT UA Package
  - CTT UA Scripts
  - CTT UA Test Case
  - OPC Analyzer
  - Safety Compliance Test Tool (UASCTT)
  - UASCTT Documentation
  - UASCTT Software
  - Specifications
  - Classic DA Client
  - Classic DA Server
  - Safety Test Document
  - UA Client - Certification tests
  - UA Server - Certification tests
  - COM/XML Sample Code
  - COM-AE Sample Code
  - COM-DA Sample Code
  - COM-HDA Sample Code
  - XML-DA Sample Code
  - Core Components
  - OpenSCS
  - UA
  - Field eXchange (UAFX)
  - Part 80: UAFX Overview and Concepts
  - Part 81: UAFX Connecting Devices and Information Model
  - Part 82: UAFX Networking
  - Part 83: UAFX Offline Engineering
  - Part 84: UAFX Profiles
  - UAFX Nodeset
  - UAFX Testing (CTT)
  - Information Models
  - 10000-100: Devices
  - 10000-110: Asset Management Basics
  - 10000-200: Industrial Automation - Basics
  - 10000-210: Industrial Automation - Relative Spatial Location
  - 10020: Analyzer Device Integration (ADI)
  - 10030: ISA-95
  - 10031: ISA 95 Job Control
  - 10040: IEC 61850
  - 11020: Companion Spec Template
  - 30000: PLCopen
  - 30010: AutoID
  - 30020: MDIS
  - 30030: BACnet
  - 30040: AutomationML
  - 30050: PackML
  - 30060: TMC
  - 30070: MTConnect
  - 30081: PADIM
  - 30090: FDT
  - 30110: Powerlink
  - 30120: IO-Link
  - 30130: CCLink (CSP+ForMachine)
  - 30140: PROFINET
  - 30170: ODVA-CIP
  - 30170: ODVA-CIP: 01: Promises
  - 30170: ODVA-CIP: 02: User Stories
  - 30170: ODVA-CIP: 03: Requirements
  - 30200: Commercial Kitchen Equipment
  - 30250: DEXPI
  - 30270: I4AAS
  - 30400: UA Cloud LIbrary
  - 34100: Energy Consumption Management
  - 40001: Machinery
  - 40010: Robotics
  - 40010-1: Robotics-1: Vertical integration
  - 40083: PlasticsRubber
  - 40100: Machine Vision
  - 40100-1: MachineVision-1: Control and more
  - 40200: Weighing Technology
  - 40210: Geometric Measuring Systems
  - 40223: Pumps and Vacuum Pumps
  - 40250: Compressed Air
  - 40301: Flat Glass
  - 40450: Joining
  - 40450-1: IJT Joining System – Base
  - 40451: Tightening
  - 40451-1: IJT Tightening System – General
  - 40501: MachineTool
  - 40501-1: MachineTool-1: Monitoring and Job
  - 40502: CNC
  - 40550: Woodworking Machinery
  - UA Specification
  - 10000-001: Concepts
  - 10000-002: Security
  - 10000-003: Address Space
  - 10000-004: Services
  - 10000-005: Information Model
  - 10000-006: Mappings
  - 10000-007: Profiles
  - 10000-008: Data Access
  - 10000-009: Alarms and Conditions
  - 10000-010: Programs
  - 10000-011: Historical Access
  - 10000-012: Discovery
  - 10000-013: Aggregates
  - 10000-014: PubSub
  - 10000-015: Safety
  - UA Safety Stack
  - UA Safety Stack - Documentation
  - UA Safety Stack - Source Code
  - 10000-016: State Machines
  - 10000-017: Alias Names
  - 10000-018: Role-Based Security
  - 10000-019: Dictionary Reference
  - 10000-020: File Transfer
  - 10000-021: Device Onboarding
  - 10000-022: Base Network Model
  - 10000-023: Common ReferenceTypes
  - 10000-024: Scheduler
  - 10000-025: ObjectSerialization
  - 10000-110: Asset Management Basics
  - 10000-120: XML Data Type Mapping
  - 10000-200: Industrial Automation - Basics
  - 10000-210: Industrial Automation - Relative Spatial Location
  - Code Generators
  - ModelValidator
  - Feature Requests
  - NodeSets, XSDs and Generated Code
  - Website
  - IOP App
  - Online Reference
  - Profiles Application
  - Teams
  - Whitepapers - 22***
  - OPC-11030: UA Modelling Best Practices
  - Wireshark plug-in
anonymous

ID	Project	Category	View Status	Date Submitted	Last Update

0010101	10000-006: Mappings	Spec	public	2025-01-16 09:37	2025-01-16 09:37

Reporter	Erik Kitzmann	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Product Version	1.05.04

Summary	0010101: JWT security issue
Description	RFC 7518 allowes a JWT with the signing algorithm "none". This is a security issue, in my opinion the UA specification should forbid this.
Tags	No tags attached.

Commit Version
Fix Due Date

Date Modified	Username	Field	Change
2025-01-16 09:37	Erik Kitzmann	New Issue

View Issue Details

Activities

Issue History