I took an action item during the last call to write text along the lines
suggested by ekr about applications and "alg":"none". I propose that the
following text be included:
It is RECOMMENDED that libraries provide applications a means of specifying the
list of acceptable algorithms used in a JWS object in a way that causes inputs
using algorithms outside the specified set to be rejected. In particular, it
is intended for applications to use this mechanism to exclude accepting inputs
using "alg":"none" in security contexts where non-integrity protected inputs
are not acceptable.
Feedback/proposed wording refinements welcomed.
-- Mike
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
