Resending due to earlier mailing list problems... From: Michael Jones Sent: Tuesday, May 7, 2024 1:12 PM To: Anders Rundgren <[email protected]> Cc: Karen ODonoghue <[email protected]>; jose <[email protected]> Subject: RE: "Ed25519 not recommended" Re: [jose] WGLC for draft-ietf-jose-fully-specified-algorithms
https://www.rfc-editor.org/rfc/rfc8152 defines the "Recommended" registry column as: Recommended: Does the IETF have a consensus recommendation to use the algorithm? The legal values are 'Yes', 'No', and 'Deprecated'. That's not nearly as granular as the somewhat-corresponding "Implementation Requirements" column for JOSE in https://www.rfc-editor.org/rfc/rfc7518.html: JOSE Implementation Requirements: The algorithm implementation requirements for JWS and JWE, which must be one the words Required, Recommended, Optional, Deprecated, or Prohibited. Optionally, the word can be followed by a "+" or "-". The use of "+" indicates that the requirement strength is likely to be increased in a future version of the specification. The use of "-" indicates that the requirement strength is likely to be decreased in a future version of the specification. Any identifiers registered for non-authenticated encryption algorithms or other algorithms that are otherwise unsuitable for direct use as JWS or JWE algorithms must be registered as "Prohibited". It's not my read of the COSE "No" value that you can't use the algorithm. It's more that COSE isn't making a statement that everyone must implement it (which would be a "Yes", as I understand it). "Deprecated" would be how COSE would say that you can't use it. -- Mike From: Anders Rundgren <[email protected]<mailto:[email protected]>> Sent: Tuesday, May 7, 2024 12:58 PM To: Michael Jones <[email protected]<mailto:[email protected]>> Cc: Karen ODonoghue <[email protected]<mailto:[email protected]>>; jose <[email protected]<mailto:[email protected]>> Subject: Re: "Ed25519 not recommended" Re: [jose] WGLC for draft-ietf-jose-fully-specified-algorithms On Tue, May 7, 2024, 20:04 Michael Jones <[email protected]<mailto:[email protected]>> wrote: https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/ denotes support for the algorithms as Optional. And https://www.iana.org/assignments/jose/jose.xhtml likewise denotes the corresponding curves also as being Optional. Where is the "not recommended" text that you're referring to, Anders? Hi Mike, Ed25519 Ed448 Under COSE there is a subtitle "Recommend" that has the value "No" I may be stupid but I don't understand how to interpret this. I would like to use these algorithms but apparently you should not. Anders -- Mike From: Anders Rundgren <[email protected]<mailto:[email protected]>> Sent: Tuesday, May 7, 2024 12:47 AM To: Michael Jones <[email protected]<mailto:[email protected]>> Cc: Karen ODonoghue <[email protected]<mailto:[email protected]>>; jose <[email protected]<mailto:[email protected]>> Subject: "Ed25519 not recommended" Re: [jose] WGLC for draft-ietf-jose-fully-specified-algorithms Could the authors please inform us mere mortals about the purpose of making Ed25519 and Ed448 not recommended? Anders
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
