Hi Richard,
a short remark below.
Gesendet: Mittwoch, 16. April 2014 um 15:34 Uhr
Von: "Richard Barnes" <[email protected]>
An: "John Bradley" <[email protected]>
Cc: "Hannes Tschofenig" <[email protected]>, "[email protected]" <[email protected]>
Betreff: Re: [jose] Implementation Requirements
Von: "Richard Barnes" <[email protected]>
An: "John Bradley" <[email protected]>
Cc: "Hannes Tschofenig" <[email protected]>, "[email protected]" <[email protected]>
Betreff: Re: [jose] Implementation Requirements
Let me address this in two parts, first with my IESG hat on, and then as an individual.
<hat type="IESG">
The IESG does NOT think that a set of mandatory algorithms in JWA is a requirement for interoperability.
After having discussed this with Kathleen and Sean: There are several different ways to address interoperability with a framework protocol like JOSE. CMS provides a fine example of how algorithms can be left flexible at the security layer, with applications like S/MIME defining algorithm requirements. Algorithm agility is another important consideration in security protocol design, and locking in algorithms too deeply can hinder updates in the future.
</hat>
[hannes] Sounds reasonable to me.
<hat type="individual">
I continue to be concerned that having mandatory algorithms for JOSE will make two types of applications non-compliant:
1. JOSE implementations are often going to not have any choice in what algorithms they can support. They're going to be built on top of crypto libraries, which either support an algorithm or they don't. It's pointless to levy requirements at the JOSE layer.
2. Constrained devices aren't going to want to implement a whole boatload of algorithms, just the ones they need for their use cases.
[hannes] Also makes sense to me.
Limiting the requirement to "standalone JOSE libraries" doesn't address either of these concerns.
As a compromise, how about if we define a RECOMMENDED suite of common algorithms? That would help guide implementations toward interop without ruling out the above use cases.
</hat>
[hannes] It makes sense for me to define domain specific recommendations. I will write some of those down for a specific Internet of Things context. For the use of JOSE with OpenID Connect these recommendations are available already.
Ciao
Hannes
Hannes
Hope that helps clarify things,
--Richard
On Mon, Apr 14, 2014 at 9:09 AM, John Bradley <[email protected]> wrote:
The IESG wants to see interoperability between implementations, to do that without dragging in discovery etc there need to be minimum feature sets of JOSE libraries that people can count on.A application using JOSE can elect not to support all the algorithms, but JOSE libraries need to support the mandatory to implement algorithms.On Apr 14, 2014, at 9:48 AM, Hannes Tschofenig <[email protected]> wrote:_______________________________________________Hi all,I am looking at the implementation requirements of the JWA spec and I am wondering to what deployment environment they refer they.The JW* specs are generic building blocks and I fail to see how one can list mandatory-to-implement algorithsms.CiaoHannes
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
