Technical Summary
This specification refers to cryptographic algorithm identifiers that
fully specify the cryptographic operations to be performed, including
any curve, key derivation function (KDF), hash functions, etc., as
being "fully specified". Whereas, it refers to cryptographic
algorithm identifiers that require additional information beyond the
algorithm identifier to determine the cryptographic operations to be
performed as being "polymorphic". This specification creates fully-
specified algorithm identifiers for registered JOSE and COSE
polymorphic algorithm identifiers, enabling applications to use only
fully-specified algorithm identifiers.
Working Group Summary
There was one reviewer who disagreed with the approach taken to solve the
problem. He stated that protocols could add metadata values as needed to
provide additional algorithm parameters, rather than depending upon having
fully-specified algorithms. However, despite that dissent, there was working
group support for solving the problem in the manner specified.
No threatened appeal or extreme discontent.
Document Quality
The OpenID FAPI 2.0 Security Profile
(https://openid.net/specs/fapi-security-profile-2_0.html) suggests use of the
"Ed25519" algorithm, once registered. This specification is in OpenID
Foundation wide review to become final, roughly the equivalent of IETF Last
Call. There are many open finance and open banking ecosystems around the world
using FAPI 2.0.
There is also interest in the FIDO Alliance to use "Ed448",
once registered.
While there are no normative downward references, there is an informative downward
reference to RFC 8152 (which has been obsoleted by RFC 9052 and RFC 9053, which
are normatively referenced) because the specification updates the status of an
algorithm registration made by RFC 8152. The registration is not found in the
RFCs replacing it.
Personnel
The Document Shepherd for this document is Karen O'Donoghue. The
Responsible Area Director is Deb Cooley.