{"id":2688,"date":"2025-05-13T07:23:20","date_gmt":"2025-05-13T14:23:20","guid":{"rendered":"https:\/\/self-issued.info\/?p=2688"},"modified":"2025-05-13T07:23:20","modified_gmt":"2025-05-13T14:23:20","slug":"fully-specified-algorithms-are-now-the-law-of-the-land","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=2688","title":{"rendered":"Fully-Specified Algorithms are now the Law of the Land"},"content":{"rendered":"

\"IETF<\/span><\/span>I’m thrilled to be able to report that, from now on, only fully-specified algorithms will be registered for JOSE and COSE. Furthermore, fully-specified signature algorithms are now registered to replace the previously registered polymorphic algorithms, which are now deprecated. For example, you can now use Ed25519<\/code> and Ed448<\/code> instead of the ambiguous EdDSA<\/code>.<\/p>\n

The new IANA JOSE registrations<\/a> and IANA COSE registrations<\/a> are now in place, as are the deprecations of the polymorphic signing algorithms. And perhaps most significantly for the long term, the instructions to the designated experts for both registries have been updated so that only fully-specified algorithms will be registered going forward.<\/p>\n

Lots of people deserve credit for this significant improvement to both ecosystems. Filip Skokan<\/a> was the canary in the coal mine, alerting the OpenID Connect working group<\/a> to the problems with trying to sign with Ed25519<\/code> and Ed448<\/code> when there were no algorithm identifiers that could be used to specify their use. Similarly, John Bradley<\/a> alerted the WebAuthn working group<\/a> to the same problems for WebAuthn<\/a> and FIDO2<\/a>, devising the clever and awful workaround<\/a> that, when used by those specs, EdDSA<\/code> is to be interpreted as meaning Ed25519<\/code>. John also supported this work as a JOSE working group<\/a> chair. Roman Danyliw<\/a> supported including the ability to specify the use of fully-specified algorithms in the JOSE charter<\/a> as the Security Area Director then responsible for JOSE. Karen O’Donoghue<\/a> created the shepherd write-up<\/a> as JOSE co-chair. Deb Cooley thoroughly reviewed and facilitated advancement of the specification as the Security Area Director currently responsible for JOSE. And of course, Orie Steele<\/a>, the co-inventor of the fully-specified algorithms idea, and my co-author since our audacious proposal to fix the polymorphic algorithms problem<\/a> at IETF 117 in July 2023 deserves huge credit for making the proposal a reality!<\/p>\n

The specification is now in the RFC Editor Queue<\/a>. I can’t wait until it pops out the other side as an RFC!<\/p>\n

The specification is available at:<\/p>\n