- changed status to open
FAPI2 JWS alg choices are much wider than FAPI1
Issue #473
resolved
FAPI1Adv allowed only ‘PS256’ and ‘ES256’.
FAPI2Baseline says:
This seems to allow a much wider choice of algorithms, including possibly RS256 that was explicitly (and somewhat painfully for some implementers/deployments) dropped from FAPI1 due to concerns over RSASSA-PKCS1-v1_5 like those expressed in https://www.rfc-editor.org/rfc/rfc8017#section-8 (I’m not sure if that section is considered mandatory to comply with in FAPI2Baseline, if it is this could be a case where it’d be easier for everyone if a clear requirement similar to that in FAPI1 was used instead).
Comments (5)
-
-
-
assigned issue to
-
assigned issue to
-
-
- changed status to resolved
PR merged
-
- changed component to FAPI2: Security Profile
- Log in to comment
On the March 2 call, it was agreed that this widening was not intentional.