The case can be made that the working group has had this opportunity to choose an answer during the entire life of the working group and the answer has never varied - there should be a small set of commonly implement required algorithms to promote interoperability. This has been true in all 26 working group drafts of JWA, going back to draft-ietf-jose-json-web-algorithms-00 in January 2012.
The +/- notation was added to the Implementation Requirements at the suggestion of Sean Turner in JWA draft -03 in January, 2013. The question of required algorithms was explicitly considered as JOSE issue #10: http://trac.tools.ietf.org/wg/jose/trac/ticket/10. Despite there being a minority of working group participants (primarily you, Richard, as I recall) who opposed MTI algorithms, most seemed to be in favor. I personally don't see it as being productive to try to re-open this already heavily discussed issue now. -- Mike From: jose [mailto:[email protected]] On Behalf Of Richard Barnes Sent: Wednesday, April 16, 2014 10:18 AM To: John Bradley Cc: Hannes Tschofenig; [email protected] Subject: Re: [jose] Implementation Requirements On Wed, Apr 16, 2014 at 10:34 AM, Richard Barnes <[email protected]<mailto:[email protected]>> wrote: Let me address this in two parts, first with my IESG hat on, and then as an individual. <hat type="IESG"> The IESG does NOT think that a set of mandatory algorithms in JWA is a requirement for interoperability. Clarification: I did not mean to imply that the IESG has an opinion one way or another on this issue. It hasn't been brought up. But there are at least a couple of members of the IESG who do not believe that mandatory algorithms are a requirement. In other words: The IESG hasn't made up its collective mind on this yet, so the WG has an opportunity to choose an answer and make an argument for it. After having discussed this with Kathleen and Sean: There are several different ways to address interoperability with a framework protocol like JOSE. CMS provides a fine example of how algorithms can be left flexible at the security layer, with applications like S/MIME defining algorithm requirements. Algorithm agility is another important consideration in security protocol design, and locking in algorithms too deeply can hinder updates in the future. </hat> <hat type="individual"> I continue to be concerned that having mandatory algorithms for JOSE will make two types of applications non-compliant: 1. JOSE implementations are often going to not have any choice in what algorithms they can support. They're going to be built on top of crypto libraries, which either support an algorithm or they don't. It's pointless to levy requirements at the JOSE layer. 2. Constrained devices aren't going to want to implement a whole boatload of algorithms, just the ones they need for their use cases. Limiting the requirement to "standalone JOSE libraries" doesn't address either of these concerns. As a compromise, how about if we define a RECOMMENDED suite of common algorithms? That would help guide implementations toward interop without ruling out the above use cases. </hat> Hope that helps clarify things, --Richard On Mon, Apr 14, 2014 at 9:09 AM, John Bradley <[email protected]<mailto:[email protected]>> wrote: The IESG wants to see interoperability between implementations, to do that without dragging in discovery etc there need to be minimum feature sets of JOSE libraries that people can count on. A application using JOSE can elect not to support all the algorithms, but JOSE libraries need to support the mandatory to implement algorithms. On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig <[email protected]<mailto:[email protected]>> wrote: Hi all, I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they. The JW* specs are generic building blocks and I fail to see how one can list mandatory-to-implement algorithsms. Ciao Hannes _______________________________________________ jose mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
