Orie Steele and I have written a new specification creating algorithm identifiers for JOSE and COSE that fully specify the cryptographic operations to be performed – something we’d promised to do during our presentation to the JOSE working group at IETF 117. The introduction to the specification (quoted below) describes why this matters.
- Fully Specified: Those that fully determine the cryptographic operations to be performed, including any curve, key derivation function (KDF), hash functions, etc. Examples are
ES256Kin both JOSE and COSE and
- Polymorphic: Those requiring information beyond the algorithm identifier to determine the cryptographic operations to be performed. Such additional information could include the actual key value and a curve that it uses. Examples are
EdDSAin both JOSE and COSE and
This matters because many protocols negotiate supported operations using only algorithm identifiers. For instance, OAuth Authorization Server Metadata [RFC8414] uses negotiation parameters like these (from an example in the specification):
"token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"]
OpenID Connect Discovery [OpenID.Discovery] likewise negotiates supported algorithms using
enc values. W3C Web Authentication [WebAuthn] and FIDO Client to Authenticator Protocol (CTAP) [FIDO2] negotiate using COSE
This does not work for polymorphic algorithms. For instance, with
EdDSA, you do not know which of the curves
Ed448 are supported! This causes real problems in practice.
WebAuthn contains this de-facto algorithm definition to work around this problem:
-8 (EdDSA), where crv is 6 (Ed25519)
This redefines the COSE
EdDSA algorithm identifier for the purposes of WebAuthn to restrict it to using the
Ed25519 curve – making it non-polymorphic so that algorithm negotiation can succeed, but also effectively eliminating the possibility of using
Ed448. Other similar workarounds for polymorphic algorithm identifiers are used in practice.
This specification creates fully-specified algorithm identifiers for all registered polymorphic JOSE and COSE algorithms and their parameters, enabling applications to use only fully-specified algorithm identifiers. It furthermore deprecates the practice of registering polymorphic algorithm identifiers.
The specification is available at: