On Wednesday, September 17, 2014, Tero Kivinen <kivinen(_at_)iki(_dot_)fi>
wrote:
Richard Barnes writes:
Perhaps, but is there benefits for leaving the alg without
protection?
Simplicity (if you omit protected headers altogether), and
compatibility with other signed things. In the sense that you could
transform one of them into a JWS without re-signing. This would
apply, for example, to an X.509 certificate -- just parse the outer
SEQUENCE, and re-assemble into a JWS with the tbsCertificate as
payload. Same security properties that X.509 already has.
Ok, having this kind of information somewhere in the draft would help
to understand the reason. Also having text explaining that is
possible, and that the security properties of this option (i.e. no
problem with PKCS#1, etc... the text you had in the other email).
It's also completely unnecessary for PKCS#1 signatures, which are
the dominant use case today.
I agree.
In general, I'm opposed to protocols baking in more
application-specific logic than they need to. The point of JOSE is
to describe the cryptographic operation that was performed, and
carry the relevant bits around. Its job is not to fix all the
weaknesses that every algorithm has.
Yes, but this property might have security issues, so they should be
covered by the security considerations section.
I'm perfectly happy to have it documented in the Security Considerations.
Mike: Should I generate some text, or do you want to take a stab?
--
kivinen(_at_)iki(_dot_)fi <javascript:;>