Mike Jones <[email protected]> wrote: > The WebAuthn and FIDO2 working group members had thought that the COSE > algorithm semantics were the same as those for JOSE, where algorithm > identifiers are not polymorphic. They were wrong, but that's water > under the bridge now. The FIDO/WebAuthn usage of the algorithm > identifiers requires that the identifiers used unambiguously specify > all algorithm parameters. (Note that FIDO/WebAuthn does not use COSE > signatures - only COSE algorithm identifiers.) They have done what
It seems like maybe this is the origin of the problem?
Since they only use the identifiers, maybe it's really just WebAuthn's problem?
> Note that by the time that we registered the ES256K algorithm for
> signing with the secp256k1 curve in RFC 8812, we were aware of the
> problem and intentionally made ES256K non-polymorphic - both for JOSE
> and for COSE.
okay.
> I believe that we should create a policy requiring that all future
> algorithm registrations should be non-polymorphic. Furthermore, I
> believe we should consider defining and registering new non-polymorphic
> algorithm identifiers so that use of the existing polymorphic algorithm
> identifiers can be avoided and deprecated.
I don't feel strongly here.
If going that way would surprise fewer people, then okay.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
