I’ve published a new draft -03 that addresses Mike’s review comments, except for adjusting the text around “none” as per the feedback on the list that the current text is fine.
Chairs - I believe this is ready for WGLC now. Name: draft-ietf-jose-deprecate-none-rsa15 Revision: 03 Title: JOSE: Deprecate 'none' and 'RSA1_5' Date: 2025-09-19 Group: jose Pages: 7 URL: https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-03.txt <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-03.txt> Status: https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/ <https://datatracker.ietf.org/doc/draft-ietf-jose-deprecate-none-rsa15/> HTML: https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-03.html <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-03.html> HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-jose-deprecate-none-rsa15 <https://datatracker.ietf.org/doc/html/draft-ietf-jose-deprecate-none-rsa15> Diff: https://author-tools.ietf.org/iddiff?url2=draft-ietf-jose-deprecate-none-rsa15-03 <https://author-tools.ietf.org/iddiff?url2=draft-ietf-jose-deprecate-none-rsa15-03> Cheers, Neil > On 31 Jul 2025, at 14:00, Brian Campbell <[email protected]> wrote: > > That link > https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1-4 > > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1-4> > points to the last paragraph of section 1.1. The 'none' algorithm > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-the-none-algorithm> > that has the text: > > 'Although there are some legitimate use-cases for Unsecured JWS, these are > relatively few in number and can easily be satisfied by alternative means. > The small risk of breaking some of these use-cases is far outweighed by the > improvement in security for the majority of JWS users who may be impacted by > accidental acceptance of the "none" algorithm.' > > Which is the text I'm suggesting already provides pretty good and even-handed > treatment of the topic and shouldn't be changed. > > > On Wed, Jul 30, 2025 at 1:30 PM Michael Jones <[email protected] > <mailto:[email protected]>> wrote: > The use cases that I’m asking to have added for reference are about “alg”: > “none”, so readers will know why it exists and how it is used – not “RSA1_5”. > I agree with Brian that the text describing “RSA1_5” is already fine. > > > > -- Mike > > > > From: Brian Campbell <[email protected] > <mailto:[email protected]>> > Sent: Wednesday, July 30, 2025 11:02 AM > To: Neil Madden <[email protected] <mailto:[email protected]>> > Cc: Michael Jones <[email protected] > <mailto:[email protected]>>; [email protected] <mailto:[email protected]>; > [email protected] <mailto:[email protected]> > Subject: Re: [jose] Re: Review of draft-ietf-jose-deprecate-none-rsa15-02 > > > > > > On Wed, Jul 30, 2025 at 2:53 AM Neil Madden <[email protected] > <mailto:[email protected]>> wrote: > > 1.1. > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1>The > 'none' algorithm > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#name-the-none-algorithm>: > After the sentence beginning “Although there are some legitimate use-cases > for Unsecured JWS”, I suggest adding this text: > > One of the legitimate use cases for Unsecured JWSs is OpenID Connect ID > Tokens secured by sending them over a TLS connection, as described in Section > 2 of [OpenID.Core]. Another legitimate use is unsigned request objects, as > described in Section 6.1 of [OpenID.Core]. > > > > I’m open to adding something along these lines. I’ll raise a PR. > > > > I thought the text in > https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1-4 > > <https://www.ietf.org/archive/id/draft-ietf-jose-deprecate-none-rsa15-02.html#section-1.1-4> > provies pretty good and even-handed treatment as is. I think it'd be a > mistake to list specific cases in the text here. > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you. > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you.
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
