Hi, It would be good with more discussion of the draft in COSE. Some people go to both COSE and JOSE, but many people are strictly interested in one of them.
One more comment: I think the deprecations are problematic: - JOSE EdDSA - COSE ES256 (-7) - COSE ES384 (-35) - COSE ES512 (-36) - COSE EdDSA (-8) - There is nothing wrong with these algorithms in systems that do not need to do negotiate capabilities using the algorithm identifiers. A lot of systems are using these algorithms without problem. They are also hardcoded in other RFCs and external specifications. - COSE: Deprecating ES256 (-7) and EdDSA (-8) and registering ESP256 (-9) and Ed25519 (-50) adds one (or more) byte for people using Ed25519 in COSE and uses one more of the rare 1 byte identifiers. Cheers, John Preuß Mattsson From: jose <[email protected]> on behalf of John Mattsson <[email protected]> Date: Thursday, 21 March 2024 at 09:55 To: [email protected] <[email protected]>, [email protected] <[email protected]> Subject: [jose] Review of draft-ietf-jose-fully-specified-algorithms-02 Hi, - “6.1. Algorithms for Signing with RSASSA-PKCS1-v1_5” Probably better to call this “6.1 RSA Algorithms” as is applies to RS*, PS*, and RSAES-OAEP. - “The working group has discussed whether the RS256, RS384, and RS512 algorithms should be considered fully-specified or not” I think the groups needs to decide if registrations like this should be allowed in the future. This should be clear if someone want to specify similar algorithms. - “This is not a problem in practice, because RSA libraries accommodate keys of different sizes without having to use different code.” This is not always true. I know of still deployed RSA implementations that only support up to RSA-2048. But this was not COSE/JOSE. I would however not be surprised if COSE implementations on very constrained devices run out of memory if they are given a large RSA key. - HSS-LMS is not fully specified. Maybe that should be mentioned. Cheers, John Preuß Mattsson
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
