Fair enough, but I think the current wording in section 2.2 of https://www.ietf.org/archive/id/draft-ietf-jose-fully-specified-algorithms-02.html is really unfortunate. It’s not obvious to me how best to fix it, but it should be fixed. It really looks like COSE is saying that ECDSA is a better choice than EdDSA.
On May 7, 2024 at 1:11:40 PM, Michael Jones <[email protected]> wrote: > https://www.rfc-editor.org/rfc/rfc8152 defines the “Recommended” registry > column as: > > > > Recommended: Does the IETF have a consensus recommendation to use > > the algorithm? The legal values are 'Yes', 'No', and > > 'Deprecated'. > > > > That’s not nearly as granular as the somewhat-corresponding > “Implementation Requirements” column for JOSE in > https://www.rfc-editor.org/rfc/rfc7518.html: > > > > JOSE Implementation Requirements: > > The algorithm implementation requirements for JWS and JWE, which > > must be one the words Required, Recommended, Optional, Deprecated, > > or Prohibited. Optionally, the word can be followed by a "+" or > > "-". The use of "+" indicates that the requirement strength is > > likely to be increased in a future version of the specification. > > The use of "-" indicates that the requirement strength is likely > > to be decreased in a future version of the specification. Any > > identifiers registered for non-authenticated encryption algorithms > > or other algorithms that are otherwise unsuitable for direct use > > as JWS or JWE algorithms must be registered as "Prohibited". > > > > It’s not my read of the COSE “No” value that you can’t use the algorithm. > It’s more that COSE isn’t making a statement that everyone must implement > it (which would be a “Yes”, as I understand it). “Deprecated” would be how > COSE would say that you can’t use it. > > > > -- Mike > > > > *From:* Anders Rundgren <[email protected]> > *Sent:* Tuesday, May 7, 2024 12:58 PM > *To:* Michael Jones <[email protected]> > *Cc:* Karen ODonoghue <[email protected]>; jose <[email protected]> > *Subject:* Re: "Ed25519 not recommended" Re: [jose] WGLC for > draft-ietf-jose-fully-specified-algorithms > > > > > > On Tue, May 7, 2024, 20:04 Michael Jones <[email protected]> > wrote: > > > https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/ > denotes support for the algorithms as Optional. And > https://www.iana.org/assignments/jose/jose.xhtml likewise denotes the > corresponding curves also as being Optional. > > > > Where is the “not recommended” text that you’re referring to, Anders? > > Hi Mike, > > > > Ed25519 > > Ed448 > > Under COSE > > there is a subtitle "Recommend" > > that has the value "No" > > > > I may be stupid but I don't understand how to interpret this. I would > like to use these algorithms but apparently you should not. > > > > Anders > > > > > > > > > > -- Mike > > > > *From:* Anders Rundgren <[email protected]> > *Sent:* Tuesday, May 7, 2024 12:47 AM > *To:* Michael Jones <[email protected]> > *Cc:* Karen ODonoghue <[email protected]>; jose <[email protected]> > *Subject:* "Ed25519 not recommended" Re: [jose] WGLC for > draft-ietf-jose-fully-specified-algorithms > > Could the authors please inform us mere mortals about the purpose of > making Ed25519 and Ed448 not recommended? > > > > Anders > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
