On 12/11/2013 08:00 PM, Luke Howard wrote: > I'd rather have algorithm agility in the spec and a separate profile > for a particular use case (which can, say, require only one > algorithm being mandatory to implement) than baking the algorithm in > the spec.
There is the equivalent to algorithm agility in SM, read the comments in the blog post for details: http://manu.sporny.org/2013/sm-vs-jose/#comment-2763 > And PEM-inside-JSON just seems a bit ugly to me Yes, it's ugly, but it also ensures that when Web developers copy/paste the public keys around (which they will), they won't accidentally truncate the key data (or if they do, it'll be clear that they did). This was one of the areas that we could align with the JOSE specs, on key format. However, it seems as if PEM-encoded keys are less dangerous to pass around among Web developers than the way they're expressed in JOSE. > I don't really buy the implementation complexity argument when there > are already plenty of libraries that will do the heavy lifting for > you. It's not just implementation complexity for library implementers, which is bad. It's also implementation complexity for the entire stack, all the way up to the application layer. It's also cognitive complexity for the developers using the libraries, they will feel like they have to go off and understand all of those key parameters when 90%+ of the time, the defaults will be fine. The question we asked ourselves wrt. algorithm agility was: Is this algorithm agility feature buying anything significant? The answer, each time we asked the question, was no. For 90%+ of the use cases, there is typically a set of defaults that most developers use. Look at the way HTTPS is configured on most Web servers - developers and sysadmins use the defaults 90%+ of the time. The same could easily be applied to crypto parameters as the only people that truly care about being able to fiddle with those parameters are security/crypto folks. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: Meritora - Web payments commercial launch http://blog.meritora.com/launch/ _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
