Thank you, Brian, DW and Aaron for the references. Mike and I discussed this and we would like to
- Make SHA-256 the mandatory to implement algorithm, to guarantee interoperability (as suggested by DW). - Use the "Named Information Hash Algorithm Registry" as the source of a string hash algorithm identifiers when including hash function explicitly in the URI prefix. This means that an example of using the SHA-256 hash function > urn:ietf:params:oauth:jwk-thumbprint:S256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs would become > urn:ietf:params:oauth:jwk-thumbprint:sha-256:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs Best, Kristina . -----Original Message----- From: OAuth <oauth-boun...@ietf.org> On Behalf Of David Waite Sent: Friday, February 4, 2022 6:17 PM To: Mike Jones <Michael.Jones=40microsoft....@dmarc.ietf.org> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] WGLC for JWK Thumbprint URI document > On Feb 4, 2022, at 6:32 PM, Mike Jones > <Michael.Jones=40microsoft....@dmarc.ietf.org> wrote: > > Kristina and I spoke about it today and we agreed that it makes sense > to make the hash algorithm explicit. So for instance, we'd propose > that the example > urn:ietf:params:oauth:jwk-thumbprint:NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfH > kxZsRGC9Xs > become > urn:ietf:params:oauth:jwk-thumbprint:S256:NzbLsXh8uDCcd-6MNwXF4W_7noWX > FZAfHkxZsRGC9Xs > when using the SHA-256 hash function. > > Similarly, we'd propose to also define S384, S512, and possibly also S3-256, > S3-384, and S3-512 (for the SHA-3 hash functions). My ideal would be making the algorithm explicit in the name, while deferring establishing a registry of other algorithms until a technical need is established. While it is not necessary that a URN namespace define a unique name for a resource, it is a useful property that would be lost with multiple hashing schemes. Use of a hashing scheme not supported by a piece of software would also mean that there is no way to verify the name corresponds to a given resource. For this reason, if we do support multiple algorithms I would expect a mandate in dependent specs and systems that mandate a specific one or a specific set. For example, they may exclude the Kekkak variants (SHA3, SHAKE) as there are no other algorithms registered for JOSE which depend upon them. > > For extra credit, if there's already an IANA registry with string names for > these hash functions, we'd consider using it. I looked for one and > surprisingly didn't find it. Or we could create one. > The COSE algorithms are declared with both numbers and names, and include hashes as algorithms. https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fcose%2Fcose.xhtml%23algorithms&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C6efedfb5f6f745813e5f08d9e84da05d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637796242424613801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=S7XBsB8pokg2Vd2aDRsvdu8MwqW1CLCy8WR31IwBrsY%3D&reserved=0 -DW _______________________________________________ OAuth mailing list OAuth@ietf.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C6efedfb5f6f745813e5f08d9e84da05d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637796242424613801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DSwK90M9dF2dtVnALFI7jTwzP%2BCCXS7WEH3FrENqK4Y%3D&reserved=0 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
