Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Jim Schaad <> Fri, 20 September 2019 14:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A8FCC1201DE; Fri, 20 Sep 2019 07:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DHvOxLjAgwlN; Fri, 20 Sep 2019 07:32:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2720E120089; Fri, 20 Sep 2019 07:32:11 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 20 Sep 2019 07:31:43 -0700
From: Jim Schaad <>
To: 'Neil Madden' <>, 'ivaylo petrov' <>
CC: <>, <>
References: <> <> <>
In-Reply-To: <>
Date: Fri, 20 Sep 2019 07:31:39 -0700
Message-ID: <012001d56fc0$1fb30e90$5f192bb0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0121_01D56F85.73559620"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQItNuZzA1TJsm3o5oYBLHm72ILihwMXxS2TAexErRSmXPE0kA==
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [jose] =?utf-8?q?=F0=9F=94=94_WGLC_of_draft-ietf-cose-webauthn-a?= =?utf-8?q?lgorithms?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Sep 2019 14:32:14 -0000



From: jose <> On Behalf Of Neil Madden
Sent: Friday, September 20, 2019 2:35 AM
To: ivaylo petrov <>
Subject: Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms


Thanks, I wasn't aware of this draft. It looks ok, just a few comments from me:


secp256k1 is mentioned in the context of signatures and the new ES256K JWS algorithm, but when it is registered in the JOSE Elliptic Curve registry it will also be usable for ECDH-ES encryption. The current draft mentions JOSE but only links to RFC 7515 (JWS). Is the intention that the curve be only used for signatures, or is it also intended for encryption?


[JLS] That is an interesting question.  Right now I would say that it is only for signatures, but it could be expanded to key agreement quite easily.  Is there any need for it or are you just speculating?  The big use I know of is bit coin which is only signatures and WebAuthn which is only signatures.


I'm glad RS1 is not being registered for JOSE, although I'm still a bit surprised that it is being registered (even as deprecated) for a standard as new as COSE. I can't find any justification in the linked WebAuthn or CTAP specs for why this algorithm needs to exist at all. Section 5.3 says that it needs to be registered because some WebAuthn TPM attestations use it, but the very same section says that the algorithm MUST NOT be used by COSE implementations (is a WebAuthn implementation not a COSE implementation?). If the normative language in the spec is obeyed then the algorithm will never be used and so the registered identifier isn't needed.


[JLS] For better or for worse, RS1 is already registered for JOSE, so that is the reason it is not registered here.  


-- Neil

On 19 Sep 2019, at 16:40, ivaylo petrov < <> > wrote:




As was suggested (thank you Jim), I am forwarding you this message about the COSE WGLC on draft-ietf-cose-webauthn-algorithms [1] as it has actions on "JSON Web Signature and Encryption Algorithms" and "JSON Web Key Elliptic Curve" registries.


The working group last call will end on October 1, 2019.

Please review and send any comments or feedback to the COSE working group. Even if your feedback is "this is ready", please let us know.

Thank you,

- Matthew and Ivaylo

COSE Chairs




On Tue, Sep 17, 2019 at 4:31 PM ivaylo petrov < <> > wrote:

Dear all,

This message starts the Working Group Last Call on the draft-ietf-cose-webauthn-algorithms [1].

The working group last call will run for **two weeks**, ending on
October 1, 2019.

Please review and send any comments or feedback to the working group. Even if your feedback is "this is ready", please let us know.

Thank you,

- Matthew and Ivaylo

COSE Chairs


jose mailing list <>