On Mon, May 9, 2022 at 8:40 AM Neil Madden <[email protected]> wrote:
> > On 6 May 2022, at 17:26, Sergey Beryozkin <[email protected]> wrote: > > > Hi Everyone > > I'm contributing to a project where `RSA-OAEP` [1] is currently a default > key encryption algorithm for encrypting JWT claims and we've had a request > to replace it with `RSA-OAEP-256` because `SHA-1` is used in `RSA-OAEP`. > > I'd like to ask the experts, why does `RSA-OAEP` have a `Recommended+` > status, while `RSA-OAEP-256` - optional, at [1] ? > > Also, while it is not a JOSE specific question, I'd appreciate some > comments on whether having an 'SHA-1' element in the `RSA-OAEP` encryption > process makes `RSA-OAEP` less secure or not. My basic understanding, based > on some Web search results, is that `RSA-OAEP` remains a secure algorithm. > > > It may be better to ask this question of CFRG. I am not aware of any > attacks on SHA-1 in the context of MGF1 at the current time. But that may > be partly because nobody is looking for them: SHA-1 has been proven > insecure, do cryptographers have to publicly break every individual use of > it before people stop using it? > > Thanks for your answer, it makes sense. But now I'm even more interested in finding out why RSA-OAEP has a `Recommended+` status in the JOSE space in [1], even though the JWA spec is outdated, it was known, when it was created, that SHA-1 was insecure. Thanks, Sergey > > Thanks, Sergey > > [1] https://tools.ietf.org/html/rfc7518#section-4.3%5BRSA-OAEP%5D > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > > > — Neil >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
