Hiya in return and inline below... On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the > JOSE one has only H256 as required. > > Doesn't that seem like one is unacceptably old and the other > is not great for this purpose? > Admittedly, I was a little worried you'd say that :) > > My suggestion would be to add rsa-sha256 as MTI for these, as an > addition to whatever JOSE and SAML make MTI. But I'd be happy to > clear if you made any modern signature alg MTI. > > Honestly, in my view, an MIT on these doesn't make a whole lot of sense as I think what's actually implemented/supported will be dictated by the larger deployments of SAML/SAMLP or JWT/JOSE/OpenID Connect. My feeling is that an MIT in these specs would likely be ignored and/or not influence implementers/deployers. So my preference would be to leave MTI out of these. But if you're not swayed by that line of thinking, and I'm guessing you're not, rsa-sha256 is probably the most appropriate choice. Could you give some guidance and/or point to examples of where and how to say that appropriately in the documents? Thanks! > Cheers, > S. > > PS: Stuff below is fine. > > Great, thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth