On Apr 20, 2018, at 12:49, Neil Madden <[email protected]> wrote: > > insecure implementations of old standards don’t go away because you introduce > a new standard
Exactly. If we have to invent a new standard each time an existing standard is implemented with a security flaw, we have a lot of work to do. Insecure implementations exist even of standards such as TLS. Usually the strategy is to fix the implementations. (It is also a good idea to envision what implementers will mess up when creating a new standard. But there are limits to that approach.) One of the objectives in the definition of COSE was to avoid some of the pitfalls of JOSE. There is also work ongoing to document the security considerations of JOSE better, e.g., draft-ietf-oauth-jwt-bcp. I’d like to focus the energy that appears to be visible here on agreeing good SIV constructions and getting them registered with COSE. Grüße, Carsten _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
