On Thu, Apr 2, 2015 at 11:39 AM, Breno de Medeiros <[email protected]> wrote:
> > Ins't the point here that libraries should _not_ work out of the box until > some kind of trust configuration is provided? alg:none can be perfectly > acceptable if the channel is trusted, for instance. > I agree. Basically, what I'm saying is: - that trust configuration should include which algorithm meant to be used. - if there is a complete trust configuration, then the `alg` field is not needed (since it is already known). In many libraries, the implementer did not realize that the choice of algorithm should be part of the trust configuration, causing them to use and trust the `alg` field. Since it's not needed, why lead implementers astray? Cheers, Tim
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
