FAPI2 JWS alg choices are much wider than FAPI1

Issue #473 resolved
Joseph Heenan created an issue

FAPI1Adv allowed only ‘PS256’ and ‘ES256’.

FAPI2Baseline says:

This seems to allow a much wider choice of algorithms, including possibly RS256 that was explicitly (and somewhat painfully for some implementers/deployments) dropped from FAPI1 due to concerns over RSASSA-PKCS1-v1_5 like those expressed in https://www.rfc-editor.org/rfc/rfc8017#section-8 (I’m not sure if that section is considered mandatory to comply with in FAPI2Baseline, if it is this could be a case where it’d be easier for everyone if a clear requirement similar to that in FAPI1 was used instead).

Comments (4)

  1. Log in to comment