I agree with Hannes that the solution to any possible confusion in (1) is to
explicitly state that the URI can be used by any applications - not just
applications using OAuth.
Like Hannes, I disagree with the assertion that the IANA "Named Information
Hash Algorithm Registry" is not well-maintained. Like any other IANA registry,
if you want a new entry, create a specification and register it. I've created
many specification to just that, such as RFC 8230 and RFC 8812. If you have an
itch, scratch it yourself! It's the IETF way!
Finally, like Hannes, I would prefer that we continue use the same hash
algorithms registry as the JWK Thumbprint URI spec [RFC 9728] does for the same
purpose. Unnecessary differences when doing the same thing should be avoided.
Best wishes,
-- Mike
-----Original Message-----
From: Hannes Tschofenig <[email protected]>
Sent: Saturday, December 23, 2023 11:15 AM
To: Carsten Bormann <[email protected]>; [email protected]; [email protected]
Cc: Isobe Kohei <[email protected]>; [email protected]; Michael
Jones <[email protected]>
Subject: COSE Key Thumbprint URI
Hi Carsten, Hi Christian,
I have been watching the recording from the IETF#118 COSE WG meeting where you
provided feedback about the COSE Key Thumbprint URI functionality. Due to a
conflict I wasn't able to attend that session.
Mike note correctly that the design of the COSE Key Thumbprint URI aimed to
mirrow the JSON Web Key (JWK) Thumbprint URIs (RFC9278) specification.
Two comments were provided, which I would like to resolve in the near
future:
1) Carsten, you argued not to use the urn:parameters:oauth IANA registry
because there could be confusion due to the use of the word "oauth" in there.
What other registry would you use? We could add a paragraph to the draft saying
that the use is not limited to OAuth, if that helps.
2) Christian, you argued against the use of the IANA "Named Information Hash
Algorithm Registry" for the hash algorithms. The argument was that the
algorithm registry is not well maintained. You suggested to use the COSE
algorithms registry instead. This would turn the following URI from
urn:ietf:params:oauth:ckt:sha-256:SWvYr63zB-WwjGSwQhv53AFSijRKQ72oj63RZp2iU-w
to urn:ietf:params:oauth:ckt:-16:SWvYr63zB-WwjGSwQhv53AFSijRKQ72oj63RZp2iU-w
Maintaining a hash algorithm registry seems trivial since the number of hash
algorithms don't seem to grow quickly. Re-using the COSE algorithms registry,
however, might confuse readers since it contains a lot of other algorithms.
I am not sure how to resolve these different views about the solution design.
Ciao
Hannes
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
