On Mon, Jul 11, 2022 at 10:26:18AM -0500, Orie Steele wrote: > Would you mind replying with hypothetical JWK representations and a label > to refer to them, so we can work towards consensus on draft revisions? > > I am hearing a preference for more specific, which aligns with my option 2, > but you go even further to include parameters in the `kty`... > > Option 4:
<snip> > To me, this is starting to contradict the original RFC text... because > the `kty` no longer refers to a "family" it refers to an "individual". I think the JOSE RFC text is based on obsolete assumptions. What I think it assumes is that wild internal differences cause wild external differences. That is, each "family" has different "keyshape". However, that assumption is no longer true with modern cryptographic design. Despite being internally extremely different, EdDSA and Dilithium are externally basically identical (due to both being products of modern cryptographic design). And algorithms that are internally quite similar can still be externally wildly different. E.g., ECDSA and EdDSA. And it would be possible to design signature algorithm that internally even more similar to EdDSA, but still has the same wild external differences. In COSE and JOSE, so far the kty's have clearly been driven by external differences. For every kty so far, the kty's are non- isomorphic or there is justification in terms of external differences (actually both). This even holds for more exotic stuff like HSS-LMS and WalnutDSA (one lacks private keys, and the other is just wildly externally different). > Nobody switches on `kty` alone today, so this would likely not help > implementations... My test implementation of fully dynamic JWS does dispatch on kty alone unless kty is one of the few special values (e.g, if kty=OKP, then dispatch is on crv). > Folks do switch on `kty` + `crv` or `alg` today... > > But I prefer to address `kty` before considering `alg`... since `alg` is > currently optional... see this poll: > > https://twitter.com/OR13b/status/1545483227439046656 If alg is optional, then kty=OKP. The entiere idea of AKP was to require alg, and dispatch on it. Without that, it fails the test "the kty's are non-isomorphic or there is justification in terms of external differences" above. -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
