## Is it necessary to encrypt a JSON Web Token more than what is built-in?

As a developer I do have some understanding of OWASP, I am also a member of OWASP community, official due paying one. Anyway, what I may not understand is information security in that I am not a security engineer and so I pose the following question:

Is it necessary to encrypt and encode a JSON Web Token?

In my experience, no secure or confidential information should be in a JSON Web Token anyway, outside of the id and email of the user. I can imagine a customer such as a bank freaking out about that, but what can someone do with an email? The password is salted and hashed and also at least in the NodeJS world that is my wheelhouse, JSON Web Token is tamper resistant.

I can verify that a token was valid by using the signing signature and if it fails due to tampering then the services will no longer trust it, that simple no? Why would it be necessary to encrypt it, Encode it And whatever else an overzealous engineer can think of? What problem is it solving or what use case is it handling that is not already built-in? Is it because in other programming languages there are no libraries built-in that can run a jwt.verify() on the JWT?

Could the case described in this post be what the institution is trying to solve?

JWT(Json Web Token) Tampering

I understand that for a customer for whom this is a big deal, encrypting the cookie contents is an option, but would that be overkill?

## Cookie expiration time : Is it really necessary? [duplicate]

Why not cookies be just there forever? Why expiry time is needed? Unless the app is very security critical (like banking) I don’t find a reason to expire the session. Why irritate user frequently with auth ?

Should I have session expiration (X dasys since session created, X days since lsat visit etc) for my normal webapp?

## Is it necessary for a Push down Automaton (PDA) to have a stack?

I am given a Finite Automaton and the question is to design an Equivalent PDA for it. This is my FA:

Is this PDA correct or do I need to add a stack to it? If its right when is the stack needed?

## Does PGP passphrase necessary if I store private key and passphrase in the same place?

I’m building a system that generates PGP key and store private key in secret vault. One thing I’m not fully understanding is the need for passphrase.

I can generate a random passphrase during the key generation and then store it in the secret vault along side with the private key, but I’m wondering if it has any benefit. If I store both passphrase and private key in the same place and that place can be considered secure, is there any additional benefit of using the passphrase? Or just storing the private key securely is enough?

## Why is FOLLOW not necessary for LL(1) grammars with no $\epsilon$ transitions?

I’m aware of how FIRST and FOLLOW sets are used to construct a parsing table for LL(1) grammars.

However, I’ve encountered this statement from my notes:

With $$\epsilon$$ productions in the grammar, we may have to look beyond the current non-terminal to what can come after it

In my opinion, this suggests that FOLLOW is not necessary for LL(1) grammars that have no $$\epsilon$$ transition. Am I wrong? And if I’m not, why is this the case?

Thanks

## Why is /cacerts request necessary in RFC 7030 Enrollment Over Secure Transport?

In RFC 7030 Enrollment Over Secure Transport (EST) https://tools.ietf.org/html/rfc7030, the /cacerts request (Section 4.1 of RFC 7030) is used by the client to request the current CA certificates. The returned certificates are added to the client’s ‘Explicit TA database’ and must be used to authenticate all future exchanges with the EST CA.

The RFC says that client is expected to make this request before performing other operations such as requesting a certificate (Section 2.1). I can understand why this is useful in the case that a client is only initialised with an ‘Implicit TA database’ (e.g., a root certificate belonging to a third party issuing CA) as they can then initialise their ‘Explicit TA database’ with the certificates belonging to the PKI they wish to enrol in (Section 4.1.3.). However I’m not clear on the benefit when the client is initialised with an Implicit TA database such as the issuing CA certificate (and corresponding certificate chain) for the CA they wish to enrol with. Perhaps it has something to do with allowing root key updates using rollover certificates (also discussed in Section 4.1.3.) but not clear on why this could not be handled as part of the /simpleenroll request. Any help clarifying the purpose of the /cacerts request would be much appreciated!

## PCI DSS 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment

A strict interpretation of that rule would seem to prohibit web browsing by PCs on the same LAN as a card processing PC. However, it appears that rule is interpreted in practice as though it says “Restrict inbound and outbound traffic to that which is necessary for the business environment.” Can anyone provide confirmation or clarification?

## Is it necessary to protect the Oauth2 return URL

I am thinking to implement a REST service that needs to call another REST service that is protected by OAuth2.

My service is “always” called server to server by web applications.

The user interacts with the web applications using their authentication.

The server-to-server call is executed on behalf of the authenticated user.

The only problem I have is the “return url” that is necessary to pass to the third party service: the browser is redirected to this URL at the end of the OAuth2 authorization process. This URL needs to point to my service instead of each web applications.

This means that the browser needs to call directly that “return URL”.

My question is: is it safe enough to use the “state” (see https://auth0.com/docs/protocols/oauth2/oauth-state) to protect this URL?

Can this URL be open and just check that the passed state is valid?

## Are endmarkers necessary for Deterministic Pushdown Automata?

In the book by Kozen (Automata and Computability), the transition function of deterministic pushdown automata (DPDAs) is supposed, in contrast with non-deterministic pushdown automata (NPDAs), to accept as arguments triples $$(q, \sigma, \gamma)$$ with $$\gamma$$ that might be a right endmarker symbol. It is written: “The right endmarker delimits the input string and is a necessary addition. With NPDAs, we could guess where the end of the input string was, but with DPDAs we have no such luxury.” (p. 176). Can we show that this condition is necessary? Can we give an example of a language accepted by this kind of DPDA’s that is not accepted by any DPDA whose transition function has no argument with an endmarker?