On Tue, Jul 07, 2026 at 03:29:11PM -0400, Soatok Dreamseeker wrote: > Respectfully, when we're talking about "negotiation", I mean any situation > where anyone ever decides to use Algorithm A instead of Algorithm B in any > conceptual way. That definition is too broad to be useful.
Generally that's going to involve negotiation somewhere. > I mean something much more specific: a runtime decision about which > algorithm to use. In JWT's case, this decision is determined entirely by an > in-band signal, which was not very well thought out. See: RSA-to-HMAC JWT > algorithm confusion attacks, or alg=none. > https://www.howmanydayssinceajwtalgnonevuln.com/ I don't know what you're arguing. If your argument is "don't get this wrong", then I agree 100%. If your argument harkens back to what I was originally responding to, namely that algorithm agility is bad, then I disagree 100%. Nico -- _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
