[Openid-specs-ab] Question about at_hash with EdDSA

Justin Richer jricher at mit.edu
Tue Jun 2 21:08:55 UTC 2020

I haven’t been able to find a clean answer for this, but apologies if this is well-trodden already. 

The ODIC spec defines at_hash (and c_hash and others) as using "the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header”. This is clear enough for things like RS256 and the like.

However, the definition of the “EdDSA” JOSE algorithm in RFC8037 (https://tools.ietf.org/html/rfc8037 <https://tools.ietf.org/html/rfc8037>) does not define a hash algorithm in the same way. Edwards signatures as defined in RFC8032 (https://tools.ietf.org/html/rfc8032 <https://tools.ietf.org/html/rfc8032>) seem to internally use SHA-512, but I’m not positive that’s every time or just in the case where you do the pre-hashing calculation. Regardless, the JOSE spec is silent on the matter. 

So the question is: which hash algorithm do we use for an “EdDSA” signed token when calculating at_hash and its ilk?

 — Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200602/b0da1900/attachment.html>

More information about the Openid-specs-ab mailing list