Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms

Neil Madden <> Fri, 20 September 2019 15:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D269812082E for <>; Fri, 20 Sep 2019 08:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id THlAj1zlY5UT for <>; Fri, 20 Sep 2019 08:08:45 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CAE391201EF for <>; Fri, 20 Sep 2019 08:08:44 -0700 (PDT)
Received: by with SMTP id p7so2890011wmp.4 for <>; Fri, 20 Sep 2019 08:08:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ZF1yCbzc4WLfsm/k1BLYQCDl+Bw29JJPKydD4xqFX2A=; b=A1W+kM275z+0LXPdjgrTAUpmcg2y6IW1Qh7arK2kTrk95z35Qjr/Xb6ZgJeDkeZyQK 6cYZ23j1ISq804Kq5EJQK+I7ZuTaTvJRBWl7DWqrbDngSRMD4tE8969K2PaV8yD2F0ph u4jSD9pfgk0+7KlHNcmYWV36oQr46o2HFpSzc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ZF1yCbzc4WLfsm/k1BLYQCDl+Bw29JJPKydD4xqFX2A=; b=jUz1bP6wKbL1qhYRyHfJSjY1PLmzQvYLBnQDHRYNooKIUSbM1Rs2auiiHeQol3IJUk k5FzkM3eYayOPWv+tmosxry64RSHLSRphKXCCDxVea9RrBuhdSG8UnKsjvr0Tgs2D98k PTWsIELILRorhpyzyISiW2+OQFVrm1nS7MtX76g8qnBTjFEj5oQmB98yz+Q1iO+Ovf73 9OK6BzpQikHWCttqakyF/+uJL7oqTkfIj9uUpi7IoHxSJgWeDyYnmeABMZIwsAhlHZHl juNnoj5DK9fXfLz+2JajcF/CaEaOroUGe7GeAubvylYDHaEAAdVwD4hyET8VvKVIlLX+ DnzA==
X-Gm-Message-State: APjAAAWf5wuHkUP+GYTCMRJvMwvvI7wbVYSJX9zsFvpW8jO9UoOkU839 X2hxue7OJM8WruyejCxwpfTEzw==
X-Google-Smtp-Source: APXvYqziMgPgkJXuNDNMyzWv+bZFDYWjgwHvsGnVRnTcya5eKgokBQF7/khE7BefwzVlF7/Dk8K3zg==
X-Received: by 2002:a1c:a94b:: with SMTP id s72mr3877821wme.9.1568992123128; Fri, 20 Sep 2019 08:08:43 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id z142sm3946362wmc.24.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Sep 2019 08:08:42 -0700 (PDT)
From: Neil Madden <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D5F0C2A5-597D-4AF6-8C57-F342FF88EC0C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 20 Sep 2019 16:08:41 +0100
In-Reply-To: <012001d56fc0$1fb30e90$5f192bb0$>
Cc: ivaylo petrov <>,,
To: Jim Schaad <>
References: <> <> <> <012001d56fc0$1fb30e90$5f192bb0$>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [jose] =?utf-8?q?=F0=9F=94=94_WGLC_of_draft-ietf-cose-webauthn-a?= =?utf-8?q?lgorithms?=
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Sep 2019 15:08:48 -0000

Thanks for the reply, comments in-line marked with [NEM]:

> On 20 Sep 2019, at 15:31, Jim Schaad <> wrote:
> From: jose < <>> On Behalf Of Neil Madden
> Sent: Friday, September 20, 2019 2:35 AM
> To: ivaylo petrov < <>>
> Cc: <>; <>
> Subject: Re: [jose] 🔔 WGLC of draft-ietf-cose-webauthn-algorithms
> Thanks, I wasn't aware of this draft. It looks ok, just a few comments from me:
> secp256k1 is mentioned in the context of signatures and the new ES256K JWS algorithm, but when it is registered in the JOSE Elliptic Curve registry it will also be usable for ECDH-ES encryption. The current draft mentions JOSE but only links to RFC 7515 (JWS). Is the intention that the curve be only used for signatures, or is it also intended for encryption?
> [JLS] That is an interesting question.  Right now I would say that it is only for signatures, but it could be expanded to key agreement quite easily.  Is there any need for it or are you just speculating?  The big use I know of is bit coin which is only signatures and WebAuthn which is only signatures.

[NEM] As soon as it is registered as a JOSE elliptic curve it can be used for ECDH-ES, so the draft should make a statement one way or another as to whether this is intended rather than standardizing that usage by side-effect IMO.

> I'm glad RS1 is not being registered for JOSE, although I'm still a bit surprised that it is being registered (even as deprecated) for a standard as new as COSE. I can't find any justification in the linked WebAuthn or CTAP specs for why this algorithm needs to exist at all. Section 5.3 says that it needs to be registered because some WebAuthn TPM attestations use it, but the very same section says that the algorithm MUST NOT be used by COSE implementations (is a WebAuthn implementation not a COSE implementation?). If the normative language in the spec is obeyed then the algorithm will never be used and so the registered identifier isn't needed.
> [JLS] For better or for worse, RS1 is already registered for JOSE, so that is the reason it is not registered here.  

Ouch, I hadn't seen this. The WebCrypto group really did a number on the registry. Thankfully most of them (including RS1) are only registered for JWK usage and marked as Prohibited. (What does it even mean for things like "A128CBC" to be registered as a JWK "alg" value?)

My main point still stands that section 5.3 of the draft is self-contradictory as it says that the reason for registry is because some TPMs are using the algorithm but then also says that those implementations MUST NOT use the algorithm, negating the reason for registering it in the first place.

-- Neil