> On 6 May 2022, at 17:26, Sergey Beryozkin <[email protected]> wrote:
>
>
> Hi Everyone
>
> I'm contributing to a project where `RSA-OAEP` [1] is currently a default
> key encryption algorithm for encrypting JWT claims and we've had a request to
> replace it with `RSA-OAEP-256` because `SHA-1` is used in `RSA-OAEP`.
>
> I'd like to ask the experts, why does `RSA-OAEP` have a `Recommended+`
> status, while `RSA-OAEP-256` - optional, at [1] ?
>
> Also, while it is not a JOSE specific question, I'd appreciate some comments
> on whether having an 'SHA-1' element in the `RSA-OAEP` encryption process
> makes `RSA-OAEP` less secure or not. My basic understanding, based on some
> Web search results, is that `RSA-OAEP` remains a secure algorithm.
It may be better to ask this question of CFRG. I am not aware of any attacks on
SHA-1 in the context of MGF1 at the current time. But that may be partly
because nobody is looking for them: SHA-1 has been proven insecure, do
cryptographers have to publicly break every individual use of it before people
stop using it?
> Thanks, Sergey
>
> [1] https://tools.ietf.org/html/rfc7518#section-4.3%5BRSA-OAEP%5D
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
— Neil
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
