On Thu, Oct 16, 2014 at 5:39 PM, Brian Campbell <bcampb...@pingidentity.com> wrote:
> Hiya in return and inline below... > > On Thu, Oct 16, 2014 at 3:00 PM, Stephen Farrell < > stephen.farr...@cs.tcd.ie> wrote: > >> >> Hmm. So the SAML one only seems to have RSA-SHA1 as the MTI and the >> JOSE one has only H256 as required. >> >> Doesn't that seem like one is unacceptably old and the other >> is not great for this purpose? >> > > Admittedly, I was a little worried you'd say that :) > > >> >> My suggestion would be to add rsa-sha256 as MTI for these, as an >> addition to whatever JOSE and SAML make MTI. But I'd be happy to >> clear if you made any modern signature alg MTI. >> >> > Honestly, in my view, an MIT on these doesn't make a whole lot of sense as > I think what's actually implemented/supported will be dictated by the > larger deployments of SAML/SAMLP or JWT/JOSE/OpenID Connect. My feeling is > that an MIT in these specs would likely be ignored and/or not influence > implementers/deployers. So my preference would be to leave MTI out of these. > > But if you're not swayed by that line of thinking, and I'm guessing you're > not, rsa-sha256 is probably the most appropriate choice. Could you give > some guidance and/or point to examples of where and how to say that > appropriately in the documents? Thanks! > I'm going to back Stephen up on this one. It best that we do point out the right thing to do, even if it's not always followed. Some will expect implementations to be complaint to the standard and that will hopefully drive implementations to better choices for algorithms. We have too many issues of deployed code and applications using things they should not (SSLv3). > > >> Cheers, >> S. >> >> PS: Stuff below is fine. >> >> > Great, thank you. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Best regards, Kathleen
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
