On Tue, Sep 23, 2025 at 1:51 PM Neil Madden <[email protected]> wrote:
> > > On 22 Sep 2025, at 20:54, Orie <[email protected]> wrote: > > > Hi, > > I recently reviewed: > https://datatracker.ietf.org/doc/draft-ietf-lamps-x509-alg-none/10/ > > > I kinda wish I’d not seen that. > ha : ) > > It's possible there is useful material to reference here. > > I do think commentary on historical usage might be helpful, the current > text states: > > > Although there are some legitimate use-cases for Unsecured JWS, these > are relatively few in number and can easily be satisfied by alternative > means. > > A reference for what these legitimate use cases are would be helpful. > > > Helpful for whom and for what reason? I’m not averse to adding some text > if it serves a concrete purpose, but as I said to Mike, it feels like > muddying the waters. I’m not really sure why it’s helpful for a reader to > see specific examples. > Well in the spirit of the current text, if there are legitimate use cases, let's name them... If there are not, let's remove the sentence about them existing. I'm speculating, but I imagine the legitimate use cases are: 1. Delivering unsigned JWS over TLS (Who does this, why do they do this?) 2. Delivering unsigned JWS as part of requesting a signature (Who does this, why do they do this?) 2 is maybe the same case as the lamps doc? I legitimately do not know why anyone would use alg none today.... If it's still relevant for compatibility, we should be able to point to systems that are still operational that require it. If we can't, there might be no legitimate use. And as a side benefit, if there are protocols that were built by the IETF that still require alg none, and it might be time to make them historic, perhaps this could help identify those cases. The end goal of the draft is to make the internet safer, the more explicit we can be about where this has been used in the past the better IMO. > > — Neil > > >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
