Thanks for reviewing the specification, Mike, and for your useful comments. My replies are inline below, prefixed by "mbj>".
-----Original Message----- From: Mike Bishop via Datatracker <[email protected]> Sent: Wednesday, May 7, 2025 4:32 PM To: The IESG <[email protected]> Cc: [email protected]; [email protected]; [email protected]; [email protected]; [email protected] Subject: Mike Bishop's No Objection on draft-ietf-jose-fully-specified-algorithms-11: (with COMMENT) Mike Bishop has entered the following ballot position for draft-ietf-jose-fully-specified-algorithms-11: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- What is the update to 8037? This specification notes the changes to 7518 and 9053, but doesn't state a change to 8037. (I suspect it's intended to be Section 5, but that defines behavior for the new algorithms in this document; it does not modify the algorithms specified in 8037.) mbj> The update is deprecating the polymorphic algorithms registered by 8037. I'll will update the specification to say that. Why are the registered names for COSE not aligned with the ones that already exist for JOSE (e.g. ESP256 in COSE vs. ES256 in JOSE)? I assume this has to do with the fact that the currently registered polymorphic entry already has the name ES256, but then why not update the name for JOSE to align? mbj> Exactly. I would have preferred naming alignment but it's particularly unfortunate that COSE registered names like "ES256" with a different meaning than the corresponding JOSE algorithms with the same name. The COSE ones are polymorphic. The JOSE ones are not. Thus, the need to introduce different names in COSE. Whereas it doesn't make sense to add those to JOSE, because the existing names already do the right thing and are in widescale use. Changing the algorithm identifier would be a breaking change to JOSE. JOSE does not appear to have corresponding entries for Brainpool curves. Is there a reason to define them for COSE and not JOSE? mbj> The working group decided to only register fully-specified algorithms for polymorphic algorithm combinations that were actually in use, as a way to limit the scope of the work. In this particular case, the Brainpool algorithms are in use in ISO mobile driving licenses (mDL) - ISO 18013-5. There was a specific request from ISO representatives to register these fully-specified algorithms for COSE. There was no corresponding use for JOSE. That said, another spec can be written to register them, when needed/wanted. Minor nits: - In the abstract, "Whereas" doesn't really add anything. Just start with "It". mbj> Will do. - In Section 1, the exclamation mark seems unnecessary after "For instance, with EdDSA, it is not known which of the curves Ed25519 and/or Ed448 are supported!" - In Sections 3.x, "This section discusses them." is unnecessary. mbj> Will do. Thanks again for the useful review! -- Mike P.S. I plan to these updates soon after the telechat - possibly later today. I normally get these kinds of updates done before the telechat, but I was giving a keynote this morning at the European Identity Conference and am moderating sessions most of the day, so my bandwidth has been temporarily limited. _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
