Protocol Action: 'Fully-Specified Algorithms for JOSE and COSE' to Proposed Standard (draft-ietf-jose-fully-specified-algorithms-13.txt)

The IESG <iesg-secretary@ietf.org> Mon, 12 May 2025 21:39 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: Protocol Action: 'Fully-Specified Algorithms for JOSE and COSE' to Proposed Standard (draft-ietf-jose-fully-specified-algorithms-13.txt)
Auto-Submitted: auto-generated
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-ID: <174708594376.1691339.13903341464754273286@dt-datatracker-58d4498dbd-6gzjf>
Date: Mon, 12 May 2025 14:39:03 -0700
Message-ID-Hash: NST3MABP6W3OSC6V62ZAVTOURVZ4EUE2
CC: The IESG <iesg@ietf.org>, draft-ietf-jose-fully-specified-algorithms@ietf.org, jose-chairs@ietf.org, jose@ietf.org, kodonog@pobox.com, rfc-editor@rfc-editor.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/QM_ZsyZ9FoQhfsvv-nBBCaXwteo>

The IESG has approved the following document:
- 'Fully-Specified Algorithms for JOSE and COSE'
  (draft-ietf-jose-fully-specified-algorithms-13.txt) as Proposed Standard

This document is the product of the Javascript Object Signing and Encryption
Working Group.

The IESG contact persons are Paul Wouters and Deb Cooley.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-jose-fully-specified-algorithms/




Technical Summary

   This specification refers to cryptographic algorithm identifiers that
   fully specify the cryptographic operations to be performed, including
   any curve, key derivation function (KDF), hash functions, etc., as
   being "fully specified".  Whereas, it refers to cryptographic
   algorithm identifiers that require additional information beyond the
   algorithm identifier to determine the cryptographic operations to be
   performed as being "polymorphic".  This specification creates fully-
   specified algorithm identifiers for registered JOSE and COSE
   polymorphic algorithm identifiers, enabling applications to use only
   fully-specified algorithm identifiers.

Working Group Summary

There was one reviewer who disagreed with the approach taken to solve the
problem.  He stated that protocols could add metadata values as needed to
provide additional algorithm parameters, rather than depending upon having
fully-specified algorithms.  However, despite that dissent, there was working
group support for solving the problem in the manner specified.

No threatened appeal or extreme discontent.

Document Quality

The OpenID FAPI 2.0 Security Profile
(https://openid.net/specs/fapi-security-profile-2_0.html) suggests use of the
"Ed25519" algorithm, once registered.  This specification is in OpenID
Foundation wide review to become final, roughly the equivalent of IETF Last
Call.  There are many open finance and open banking ecosystems around the world
using FAPI 2.0.  

There is also interest in the FIDO Alliance to use "Ed448",
once registered.

While there are no normative downward references, there is an informative downward
reference to RFC 8152 (which has been obsoleted by RFC 9052 and RFC 9053, which
are normatively referenced) because the specification updates the status of an
algorithm registration made by RFC 8152.  The registration is not found in the
RFCs replacing it.

Personnel

   The Document Shepherd for this document is Karen O'Donoghue. The
   Responsible Area Director is Deb Cooley.

Protocol Action: 'Fully-Specified Algorithms for … The IESG