[Openid-specs-fapi] Issue #207: RS256 vs PS256 (again) (openid/fapi)

Joseph Heenan issues-reply at bitbucket.org
Wed Jan 9 05:51:51 UTC 2019

New issue 207: RS256 vs PS256 (again)

Joseph Heenan:

We've discussed this before ( https://bitbucket.org/openid/fapi/issues/101/jws-signature-algorithms-for-rw ). There still seems to be notable industry pushback so it may be worth further thought.

The Australians are considering using RS256:


OpenBanking UK still has waivers in place that allow RS256:


This seems to be the most contentious and most disregarded part of FAPI. I think we should probably consider at least providing extra explanation of the rational and possible mitigations. It may also be worth explicitly saying to definitely not use RS256 for encryption, but that perhaps for signing the language should be a little weaker?

As I understand the rational, it's that:

1) RS256 has definite issues for encryption (e.g. https://cryptosense.com/blog/why-pkcs1v1-5-encryption-should-be-put-out-of-our-misery/ )

2) PS256 has formal security proofs, RS256 doesn't.

(It's not my area of expertise though.)

I believe the major argument against PS256 is that for many languages it is not supported out of the box by commonly used libraries - e.g. https://jwt.io doesn't even show which libraries do/don't support PS256.

More information about the Openid-specs-fapi mailing list