In no place is SHA-1 or algorithms using it MTI. You can see the set of MTI algorithms by looking at those marked “Required” in the registries.
A small set of required algorithms is present, with the choices based on a detailed survey of what algorithms are widely deployed, to provide a basis for implementations to interoperate. Recognizing that the set of algorithms that will be appropriate to have as required will change over time, Sean Turner suggested that we enable future drafts to update the Implementation Requirements in the registries, with expert review. (So for instance, an algorithm that might be “Required” today could be marked “Deprecated” in the future.) We adopted Sean’s suggestion a good while ago. This is another area that was widely discussed within the JOSE working group, and there was never consensus to remove the implementation requirements, which have always been present. -- Mike From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Kathleen Moriarty Sent: Friday, June 13, 2014 12:14 PM To: Hannes Tschofenig Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] JWT review Hi Hannes, Thank you for going through the various reviews, since the JOSE ones should be of interest to Oauth. I'll respond in-line. On Thu, Jun 12, 2014 at 4:27 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net<mailto:hannes.tschofe...@gmx.net>> wrote: Hi Kathleen, on the first item I have a few minor remarks: You wrote: " As I read through the Algorithms (JWA) draft there are some changes that will need to be made to avoid problems during the IESG review. This is a pretty big change for the draft, but will help make the review and approval faster. Typically, the lists of algorithms are handled through a draft update as opposed to creating an IANA registry. A good example is a recent update of a draft in the IPSECME working group so you can see the structure and the precedence for this model. " FYI - this is from the start of a long thread that has been worked out already. I had included a link to the JWA review only for the section on the security consideratiosn section as many of the drafts in JOSE, and at least one in OAuth start out with the same paragraph that could use some updating and correcting. I wanted to make sure this working group was aware since JWT shares that same paragraph. Mike is working through new text and has solicited help from the WG (please respond on the JOSE list). The IANA registry for the algorithm serves a different purpose than a document recommending the specific algorithms. The reference to the IPSECME document only provides the latter. It is also important to note that the JWA not only defines the algorithm tags for the IANA registry but also explains how they actually work with the JOSE defined JSON structures (which is again a difference to the mentioned IPSECME document). The discussion on having a registry versus a draft has been settled. The possibility of an issue came to me through an AD and after discussion, it is fine as it is. There were some considerations that needed to get surfaced, so the document can remain as-is. Sorry for the confusion. I'll file this away for the future reference. Of course, the JWA document does both via the IANA registry and there is the question about how these recommendations would then get updated and what the consensus process is. In an mail to the JOSE mailing list I argued against any MTI recommendations since JOSE is a baseline technology that will be used in a variety of different contexts and it is super likely that the algorithm requirements will hugely vary. I am just thinking about what algorithms I would recommend when using the JOSE work in an IoT environment. My recommendations would deviate from the currently given recommendations, which are largely impacted by the Web community. Here is the mail I sent to the JOSE list: http://www.ietf.org/mail-archive/web/jose/current/msg04032.html So, my recommendation is to 1) have no MTI requirements in the JWA spec 2) remove the 'JOSE Implementation Requirements' column from the IANA registry. Interesting. I do remember having these discussions with Sean and Richard (see http://www.ietf.org/mail-archive/web/jose/current/msg04060.html). In Jim's opinion, (from: http://www.ietf.org/mail-archive/web/jose/current/msg04062.html), his view is that even the MTI in JWA can be overridden in the spec. I wonder why you would have an MTI then? This closed out the discussion and it would be better to see it on the JOSE list than here. If the point is to get Oauth people who are encountering conflicts as a user of JOSE drafts to chime in, that should happen on the JOSE list. I suspect this will be an issue for XMPP as well. They are phasing out SHA-1, so if that's MTI for fingerprints, they may still feel like they have to support SHA-1 for that purpose even though their work specifies that SHA-2 should be used everywhere. Since JWA is getting closer to IESG review, I'll ask other ADs their thoughts on how they like to see this sort of thing handled. Both Richard and Jim raised valid points. Thank you, Kathleen Ciao Hannes On 06/09/2014 06:17 PM, Kathleen Moriarty wrote: > Hello, > > I am in process of working through the JOSE drafts and also read the > Oauth JWT draft last week. There is some overlap in text that may > require some joint work to correct. > > 1. For JWT, the Security Considerations section starts off with the same > text that is in several of the JOSE drafts. In my review of the JWA > draft, I asked for some fixes that will need to be made to this draft as > well. Here is a link to that review and it may be easier to help with > this work in one spot where text will be reused. Mike has asked the > JOSE WG to assist, but it make make sense for Oauth folks to help as > well. If it makes sense, a pointer to existing text is also fine. > > http://www.ietf.org/mail-archive/web/jose/current/msg04064.html > > 2. Sections 5.1 and 5.2 are a little confusing. However, the use of > "typ" and "cty" appear in 3 drafts (at least), so this should get > addressed with an approach that considers the joint text to reduce > confusion for developers. The initial descriptions are in the JOSE JWS > draft, so that may need most of the work, but it also appears in this > draft and the JOSE JWK draft. In my writeup for the JWK review, I > listed out some questions and would like to see improvements across > these drafts. This will likely require some joint work and may be best > in response to the JWK review to keep it in one place. > > http://www.ietf.org/mail-archive/web/jose/current/msg04172.html > > Thank you! > > -- > > Best regards, > Kathleen > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > -- Best regards, Kathleen
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth