On Tue, Oct 24, 2023 at 4:46 AM Ilari Liusvaara <[email protected]> wrote:
> On Tue, Oct 24, 2023 at 07:19:59AM +0200, [email protected] wrote: > > Hi all, > > > > Les and I have put together a draft that starts to capture guidance > > for JOSE (and COSE) following the recent list discussion about key > > ids (see > https://mailarchive.ietf.org/arch/msg/jose/Ziu1dqu9p19U-n1bhR4A5yof5ec/). > > > > Here is the link to the draft: > > > > https://datatracker.ietf.org/doc/draft-tschofenig-jose-cose-guidance/ > > One topic I would like to see covered is API design guidance for > libraries. > > For example, offer separate functions for verifying signatures and > MACs, both rejecting anything that is not of correct type (implying > that both reject alg=none). Mixing algorithms with different properties > is very dangerous for security. > > Or that normal decryption functions need to insta-reject CBC and CTR > algorithms. > > > Another topic is how to use 'jwk' header. I have seen correct and > incorrect uses of similar headers. > > And another is why Direct Encryption REALLY SHOULD NOT be used. > Can you say more about why? This is one I don't recall having seen much discussion/criticism about. > And there are plenty of other landmines to mark... > > > > > -Ilari > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
