I support this new draft.I'm glad that Ilari Liusvaara, as author of the 8037 RFC spec, has chimed in this useful discussion. From all std JOSE JWS algs that are currently considered standard - RSxxx, ESxxx and EdDSA, the EdDSA's polymorphic identifier makes it tricky to use in OAuth and OIDC situations where advertised metadata is used to configure and register clients. So, if one wants to be sure that the client registration is valid and the requests will work the OKP of the other party needs to be fetched and its JWK params introspected.
There are ways for existing OIDC deployments to migrate from the EdDSA JWS alg to the Ed25519 & Ed448 JWS algs over time, or support both approaches indefinitely. Okay, some deployments may choose to keep things just as they are, but that's fine too.
Let's remind ourselves that we have new and upcoming security specs that can greatly benefit from having fully specced JWS algs, like OpenID Federation 1.0 for instance. The Federation spec makes use of policies, to ensure interop between the entities and compliance with security profiles, and these policies rely on the metadata paradigm. Polymorphic identifiers make it difficult or impossible to formulate and enforce JWS alg policies.
~Vladimir On 02/01/2024 21:13, Karen ODonoghue wrote:
JOSE working group members, This email starts a two week call for adoption for: https://datatracker.ietf.org/doc/draft-jones-jose-fully-specified-algorithms/As discussed at the November IETF meeting, with the approved expansion of the charter to include maintenance items, this document is now within scope.Please reply to this email with your comments on the adoption of this document as a starting point for the related JOSE work item.This call will end on Wednesday, 17 January 2024. Thank you, JOSE co-chairs _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
