JWS signature algorithms for RW

Comments (14)

1. 

   Dave Tonge

   I agree that this is unclear, surely we would also support the other algorithms that are in the same category. Also, what is the rationale for not supporting the RS* family of algorithms?

   • 2017-06-12T08:03:49+00:00
2. 

   Nat Sakimura

   From the interoperability point of view, it is good to have a limited set of algorithms to support. From that point of view, PS256 and ES256 seem to be good options given it provides adequate protection. We have ruled out RS256 because PKCS1-v1.5 is broken and insecure. (We knew that even when we were writing JWS but at the time the library support for PSS was limited so we opted for PKCS1-v1.5.) Algorithm 'none' is also ruled out for an obvious reason.

   I am OK with re-phrasing it as "Implementations shall implement PS256 and ES256 as the algorithm for JWS signatures. Algorithm none and RS256 shall not be used."

   • 2017-06-14T05:26:00+00:00
3. 

   Nat Sakimura

   • changed status to open

   • 2017-06-14T05:26:08+00:00
4. 

   Nat Sakimura

   Just recording the result of more discussions. While the rationale for not supporting RS256 is cryptographically sound, in the cases where HSM only supports RS256, that can become pretty much the only option and it would still be better to use HSM than just being software based.

   So, the WG precipitated to the following conclusion.

   • shall implement PS256 and ES256 the implementation is software only or the HSM supports them;
   • shall implement RS256 if the HSM deployed does not support PS256 or ES256;
   • shall not support none;

   • 2017-07-15T04:52:19+00:00
5. 

   Nat Sakimura

   • changed milestone to R3 - Nov 2017
   • assigned issue to
     
     Nat Sakimura

   I am postponing the resolution of this ticket to R3.

   Constructing a correct language to permit RS256 only in the case of the using HSM that does not support ES256 nor PS256 is not simple. I need more time to carefully construct it.

   Perhaps I can put a note for the time being.

   • 2017-07-15T05:08:57+00:00
6. 

   Nat Sakimura

   1. shall implement PS256 and ES256
   2. shall not implement Digital Signature with RSASSA-PKCS1-v1_5
   3. shall not implement none
   4. may implement other algorithms that are deemed more secure than PS256 and ES256

   Dave is going to add a NOTE: as well to explain the context.

   • 2018-01-29T16:56:19+00:00
7. 

   Nat Sakimura

   • assigned issue to
     
     Dave Tonge

   • 2018-01-29T16:59:40+00:00
8. 

   Dave Tonge

   we need to pick this up - I'll see if i can get to it this before the next meeting. PS256 support is lacking across many jwt libraries.

   • 2018-07-13T10:07:05+00:00
9. 

   Nat Sakimura

   Updates?

   • 2018-08-15T03:39:28+00:00
10. 

    Dave Tonge

    I've made a pull request: https://bitbucket.org/openid/fapi/pull-requests/67/signature-algorithms-101/diff

    I changed shall not implement Digital Signature with RSASSA-PKCS1-v1_5 to should - we can discuss on the call, but I felt that having it as a shall would make a lot of existing implementations non-compliant.

    • 2018-08-15T13:35:43+00:00
11. 

    Nat Sakimura

    • changed status to resolved

    Merged in dgtonge/fapi/signature-algorithms-101 (pull request #67)

    Fix #101 Signature algorithms

    Approved-by: Joseph Heenan joseph@authlete.com Approved-by: Brian Campbell bcampbell@pingidentity.com Approved-by: Nat Sakimura sakimura@gmail.com

    → <<cset 5588c034a748>>

    • 2018-08-27T06:31:20+00:00
12. 

    Nat Sakimura

    • changed component to Part 2: Advanced

    • 2022-12-14T15:36:09+00:00
13. 

    Nat Sakimura

    • changed component to FAPI 1 – Part 2: Advanced

    • 2022-12-14T15:36:43+00:00
14. 

    Nat Sakimura

    • changed component to FAPI 1: Advanced

    • 2022-12-14T15:38:53+00:00
15. Log in to comment