- From: Mike Jones <Michael.Jones@microsoft.com>
- Date: Wed, 9 Apr 2014 20:08:45 +0000
- To: Harry Halpin <hhalpin@w3.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
I don't think that the "ask JOSE to do this" option is a viable option, given that this was discussed in JOSE multiple times and it was repeatedly decided not to support structured algorithm identifiers. Some of this discussion is recorded at http://trac.tools.ietf.org/wg/jose/trac/ticket/7.
I would personally advocate supporting those JWA identifiers that make sense in WebCrypto, but if that isn't done, I would at least suggest having an appendix listing the correspondence between the JWA identifiers and the corresponding structured WebCrypto algorithm identifiers. That would at least increase the chance of developers understanding the correspondence correctly.
-- Mike
-----Original Message-----
From: Harry Halpin [mailto:hhalpin@w3.org]
Sent: Monday, April 07, 2014 12:48 PM
To: public-webcrypto@w3.org
Subject: JOSE Last Call and ISSUE 28
Before we exit Last Call we should deal with the "algorithm shortname for ciphersuites" issue (Issue 28) and close it officially.
Note that JOSE Web Algorithms is still in Last Call [1] as well.
Do we have any desire in particular to allow the short names used by JOSE in our spec, or at least clear conversion function that generates an Algorithm object for a given JOSE ciphersuite (so that "PS256"
specified keys in JOSE is automagically converted to RSA-PSS using
SHA-256/MG-1 ala http://www.w3.org/2012/webcrypto/track/issues/28?
Or do we ask JOSE to do this?
Or do we expect developers to handle this?
Also, as regards the SAAG comments, in may be useful to look at Mike's security concerns section [1], where he deals with the same issues brought up by the SAAG on WebCrypto.
cheers,
harry
[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25
Received on Wednesday, 9 April 2014 20:10:13 UTC