On Mon, Jan 8, 2024 at 9:52 AM Orie Steele <[email protected]> wrote: > > We got some good responses from the TLS list on the interpretation of their > suites, please review them: > > https://mailarchive.ietf.org/arch/msg/tls/LXBUvjMdhEpgIEC1CEzTuDKZNwY/
Yes, that summarizes exactly what the JOSE group was warned about many years ago wrt. the polymorphic approach. The experiences with TLS 1.2 and 1.3 further underscores the reasons that the Data Integrity work at the W3C has decided to NOT go down the "polymorphic" algorithm path. The problem with the "fully specified" specification is that it's attempting to slap a bandaid on the problem which is only going to make the problem worse. Banning polymorphic algorithm identifiers would be the way to go, but as I said, the JOSE group made the decision to go down the polymorphic algorithm identifier route long ago and supporting both polymorphic and fully-specified will just make everything more complicated for JOSE developers and lead to interoperability failures. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/ _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
