JOSE Working Group Members,
We are following up on discussions at IETF 124 on
draft-madden-jose-deprecate-none-rsa15.
Firstly, thank you to Neil for your work on this draft and to those who have
provided review thus far.
The one remaining outstanding item for this draft is whether to add text to
capture legitimate use cases of "none" as suggested by Mike in his review
https://mailarchive.ietf.org/arch/msg/jose/Z4IJGxKubk81LK8ZKYjY3prPmis/
This was discussed in Montreal, with views both for and against this addition,
and we agreed to follow up with discussion on list. With that in mind, we’d
like to ask for a rough consensus on which of the following two choices you
prefer:
Option 1) Change the text in Section 1.1 to include the following suggested
text:
"One of the legitimate use cases for Unsecured JWSs is OpenID Connect ID Tokens
secured by sending them over a TLS connection, as described in Section 2 of
[OpenID.Core]. Another legitimate use is unsigned request objects, as
described in Section 6.1 of [OpenID.Core].”
Option 2) Leave the text in Section 1.1 as it currently is:
"Although there are some legitimate use-cases for Unsecured JWS, these are
relatively few in number and can easily be satisfied by alternative means.”
In the absence of a compromise on some alternative text that is agreed to by
rough consensus, we will need to make a choice between the two above
approaches.
Please respond to this email with your preference for Option 1 or Option 2.
Please provide a short rationale. so we can capture the view of the Working
Group and move this draft forward.
This consensus call will last for two weeks ending on Tuesday, 17 February
2026.
Thanks,
JOSE Chairs
_______________________________________________
jose mailing list -- [email protected]
To unsubscribe send an email to [email protected]
