That link https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1-4 points to the last paragraph of section 1.1. The 'none' algorithm <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-the-none-algorithm> that has the text:
'Although there are some legitimate use-cases for Unsecured JWS, these are relatively few in number and can easily be satisfied by alternative means. The small risk of breaking some of these use-cases is far outweighed by the improvement in security for the majority of JWS users who may be impacted by accidental acceptance of the "none" algorithm.' Which is the text I'm suggesting already provides pretty good and even-handed treatment of the topic and shouldn't be changed. On Wed, Jul 30, 2025 at 1:30 PM Michael Jones <[email protected]> wrote: > The use cases that I’m asking to have added for reference are about “alg”: > “none”, so readers will know why it exists and how it is used – not > “RSA1_5”. I agree with Brian that the text describing “RSA1_5” is already > fine. > > > > -- Mike > > > > *From:* Brian Campbell <[email protected]> > *Sent:* Wednesday, July 30, 2025 11:02 AM > *To:* Neil Madden <[email protected]> > *Cc:* Michael Jones <[email protected]>; [email protected]; > [email protected] > *Subject:* Re: [jose] Re: Review of > draft-ietf-jose-deprecate-none-rsa15-02 > > > > > > On Wed, Jul 30, 2025 at 2:53 AM Neil Madden <[email protected]> > wrote: > > *1.1. > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1>The > 'none' algorithm > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-the-none-algorithm>: > *After the sentence beginning “Although there are some legitimate > use-cases for Unsecured JWS”, I suggest adding this text: > > One of the legitimate use cases for Unsecured JWSs is OpenID Connect ID > Tokens secured by sending them over a TLS connection, as described in > Section 2 of [OpenID.Core]. Another legitimate use is unsigned request > objects, as described in Section 6.1 of [OpenID.Core]. > > > > I’m open to adding something along these lines. I’ll raise a PR. > > > > I thought the text in > https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1-4 > provies pretty good and even-handed treatment as is. I think it'd be a > mistake to list specific cases in the text here. > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
