Unclear section 5.4 of FAPI2 security profile

Comments (5)

Filip Skokan

Does this mean that AS must only use EC keys for JWTs? or is section 1b here only applicable Ed25519 keys?

I don’t understand how it could be read as such.

The section is called Cryptography and Secrets and doesn’t only pertain to JWT/S

1) An AS can use either one of the three JWS Algorithms for its issued assertions

PS256 is RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as defined in the JWA spec it is already required to use keys of 2048 bit or larger
ES256 is ECDSA using the P-256 NIST curve, no leeway for misinterpretation there
EdDSA is Edwards-curve Digital Signature Algorithm and we’re futher requiring the use of only the Ed25519 variant

2 and 3) puts forth general restrictions for EC and RSA based cryptography that may be in used outside of JWA e.g. in the Network layer protections - TLS

4) talks about otherwise issued opaque artefacts such as authorization codes and their minimal length / entropy used to generate them

If AS must only use EC keys for JWTs then why does section 2 mention RSA keys?

It doesn’t have to only use EC keys for JWTs.

Should there be a new “top-level” section between 3 and 4 that says something like “Elliptic curve subtype Ed25519 shall use PS256, ES256, or EdDSA algorithms" - is this the intent?

That doesn’t make much sense to me.

‌

2024-08-16T11:33:14+00:00

Dag Sneeggen reporter

Thank you for the reply. The issue was that I got confused, I thought PS256 was also an EC algorithm but of course it is not.

Then it’s clear, you can resolve/close this issue.

2024-08-16T11:56:22+00:00

Brian Campbell

2024-08-18T15:45:59+00:00

Nat Sakimura

changed status to new

2024-08-20T09:10:25+00:00

Nat Sakimura

changed status to closed

2024-08-21T14:22:23+00:00

Filip Skokan
Does this mean that AS must only use EC keys for JWTs? or is section 1b here only applicable Ed25519 keys?

I don’t understand how it could be read as such.

The section is called Cryptography and Secrets and doesn’t only pertain to JWT/S

1) An AS can use either one of the three JWS Algorithms for its issued assertions
- PS256 is RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as defined in the JWA spec it is already required to use keys of 2048 bit or larger
- ES256 is ECDSA using the P-256 NIST curve, no leeway for misinterpretation there
- EdDSA is Edwards-curve Digital Signature Algorithm and we’re futher requiring the use of only the Ed25519 variant
2 and 3) puts forth general restrictions for EC and RSA based cryptography that may be in used outside of JWA e.g. in the Network layer protections - TLS

4) talks about otherwise issued opaque artefacts such as authorization codes and their minimal length / entropy used to generate them

If AS must only use EC keys for JWTs then why does section 2 mention RSA keys?

It doesn’t have to only use EC keys for JWTs.

Should there be a new “top-level” section between 3 and 4 that says something like “Elliptic curve subtype Ed25519 shall use PS256, ES256, or EdDSA algorithms" - is this the intent?

That doesn’t make much sense to me.

‌
- 2024-08-16T11:33:14+00:00
Dag Sneeggen reporter
Thank you for the reply. The issue was that I got confused, I thought PS256 was also an EC algorithm but of course it is not.

Then it’s clear, you can resolve/close this issue.
- 2024-08-16T11:56:22+00:00
Brian Campbell
also kinda related https://bitbucket.org/openid/fapi/issues/683/ec-keys-minimum-length
- 2024-08-18T15:45:59+00:00
Nat Sakimura
- changed status to new
- 2024-08-20T09:10:25+00:00
Nat Sakimura
- changed status to closed
- 2024-08-21T14:22:23+00:00
Log in to comment