| Internet-Draft | Fully-Specified Algorithms for JOSE and | August 2023 |
| Jones & Steele | Expires 3 March 2024 | [Page] |
This specification refers to cryptographic algorithm identifiers that fully specify the cryptographic operations to be performed, including any curve, key derivation function (KDF), hash functions, etc., as being "fully specified". Whereas, it refers to cryptographic algorithm identifiers that require additional information beyond the algorithm identifier to determine the cryptographic operations to be performed as being "polymorphic". This specification creates fully-specified algorithm identifiers for all registered JOSE and COSE polymorphic algorithm identifiers, enabling applications to use only fully-specified algorithm identifiers.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 March 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The IANA algorithm registries for JOSE [IANA.JOSE.Algorithms] and COSE [IANA.COSE.Algorithms] contain two kinds of algorithm identifiers:¶
RS256 and ES256K in both JOSE and COSE
and ES256 in JOSE.¶
EdDSA in both JOSE and COSE
and ES256 in COSE.¶
This matters because many protocols negotiate supported operations using only algorithm identifiers. For instance, OAuth Authorization Server Metadata [RFC8414] uses negotiation parameters like these (from an example in the specification):¶
"token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"]¶
OpenID Connect Discovery [OpenID.Discovery] likewise negotiates supported algorithms
using alg and enc values.
W3C Web Authentication [WebAuthn] and
FIDO Client to Authenticator Protocol (CTAP) [FIDO2]
negotiate using COSE alg numbers.¶
This does not work for polymorphic algorithms.
For instance, with EdDSA, you do not know which of the curves
Ed25519 and/or Ed448 are supported!
This causes real problems in practice.¶
WebAuthn contains this de-facto algorithm definition to work around this problem:¶
-8 (EdDSA), where crv is 6 (Ed25519)¶
This redefines the COSE EdDSA algorithm identifier
for the purposes of WebAuthn to restrict it to using
the Ed25519 curve - making it non-polymorphic
so that algorithm negotiation can succeed, but also effectively
eliminating the possibility of using Ed448.
Other similar workarounds for polymorphic algorithm identifiers are used in practice.¶
This specification creates fully-specified algorithm identifiers for all registered polymorphic JOSE and COSE algorithms and their parameters, enabling applications to use only fully-specified algorithm identifiers. It furthermore deprecates the practice of registering polymorphic algorithm identifiers.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This section creates fully-specified digital signature algorithm identifiers for all registered polymorphic JOSE and COSE algorithms and their parameters.¶
[RFC9053] defines the current use of
the Elliptic Curve Digital Signature Algorithm (ECDSA) by COSE.
The COSE algorithm registrations for ECDSA are polymorphic,
since they do not specify the curve used.
For instance, ES256 is defined as
"ECDSA w/ SHA-256" in Section 2.1 of [RFC9053].
(The corresponding JOSE registrations in [RFC7518] are full-specified.)¶
The following fully-specified COSE algorithms are defined:¶
| Name | COSE Value | Description | COSE Recommended |
|---|---|---|---|
| ESP256 | TBD (requested assignment -9) | ECDSA using P-256 curve and SHA-256 | Yes |
| ESP384 | TBD (requested assignment -48) | ECDSA using P-384 curve and SHA-384 | Yes |
| ESP512 | TBD (requested assignment -49) | ECDSA using P-521 curve and SHA-512 | Yes |
[RFC8037] defines the current use of
the Edwards-Curve Digital Signature Algorithm (EdDSA)
by JOSE and [RFC9053] defines its current use by COSE.
Both register polymorphic EdDSA algorithm identifiers.¶
The following fully-specified JOSE and COSE algorithms are defined:¶
| Name | COSE Value | Description | JOSE Implementation Requirements | COSE Recommended |
|---|---|---|---|---|
| Ed25519 | TBD (requested assignment -50) | EdDSA using Ed25519 curve | Optional | No |
| Ed448 | TBD (requested assignment -51) | EdDSA using Ed448 curve | Optional | No |
This section registers the following values in the IANA "JSON Web Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms].¶
The following registration is updated to change its status to Deprecated.¶
This section registers the following values in the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms].¶
The following registrations are updated to change their status to Deprecated.¶
The review instructions for the designated experts for the IANA "JSON Web Signature and Encryption Algorithms" registry [IANA.JOSE.Algorithms] in Section 7.1 of [RFC7518] are updated to add this additional review criterion:¶
The review instructions for the designated experts for the IANA "COSE Algorithms" registry [IANA.COSE.Algorithms] in Section 10.4 of [RFC9053] are also updated to add the same additional review criterion.¶
Using fully-specified algorithm identifiers reduces the attack surface relative to using polymorphic algorithm identifiers, since it reduces the opportunity for attackers to choose algorithms.¶
The security considerations for ECDSA in [RFC7518], for EdDSA in [RFC8037], and for ECDSA and EdDSA in [RFC9053] apply.¶
Future versions of this specification may cover these additional topics:¶
alg value, if included.¶
EDCH-ES and its ephemeral keys.¶
[[ to be removed by the RFC Editor before publication as an RFC ]]¶
-01¶
ES25519 to Ed25519 and
ES448 to Ed448, by popular demand!¶
-00¶
The authors thank John Bradley, Brian Campbell, Ilari Liusvarra, Tobias Looker, and Filip Skokan for their contributions to this specification.¶