IMO, symmetric integrity protection is a useful primitive, and it's already part of the JWT spec. I think all that's required here in the charter is to wordsmith it to separate out symmetric from asymmetric integrity algorithms,
-Ekr On Thu, Aug 4, 2011 at 8:48 AM, Paul Hoffman <[email protected]> wrote: > On Aug 4, 2011, at 8:41 AM, Paul C. Bryan wrote: > >> On Thu, 2011-08-04 at 09:03 -0400, Sean Turner wrote: >>> >>> I just want to make sure that we agree now that a digital signature is a >>> hash followed by a signature algorithm (e.g., RSA with SHA-256). I've >>> seen a couple of drafts that tried to say an HMAC (e.g., HMAC-SHA256) >>> was a digital signature; one called it a symmetric key based digital >>> signature algorithm (note this phrase didn't get through the IESG). >>> >> >> I don't agree. > > You don't agree with his definition? Where do you see HMACs defined as > "digital signatures"? > >> I believe we should be able to use this useful plumbing to ensure >> integrity/authenticity without having to rely exclusively on public key >> cryptography. > > That is a separate issue. Are you asking that a fifth item be added to the > charter, to define HMAC'd content? > > --Paul Hoffman > > _______________________________________________ > woes mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/woes > _______________________________________________ woes mailing list [email protected] https://www.ietf.org/mailman/listinfo/woes
