[Openid-specs-fapi] Question regarding JWS alg in FAPI part 2, read and write security profile
Nat Sakimura
nat at sakimura.org
Thu Jul 20 08:47:56 UTC 2017
Hi Sascha,
This came up during the WG calls as well.
The short answer is that there are several attacks identified for
RSASSA-PKCS1-v1_5 while PSS padding is safe. Cryptographer's opinion is
that RSASSA-PKCS1-v1_5 should be retired.
We agreed in the WG call to add RS256 as a permissible algorithm when
HSM is used and the HSM in place does not support PS256 or ES256 in the
final but has to be done in the way that it does not raise a red flag
from the cryptographers. Please see
https://bitbucket.org/openid/fapi/issues/101/jws-signature-algorithms-for-rw.
Best,
---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation
On 2017-07-20 15:20, Preibisch, Sascha H via Openid-specs-fapi wrote:
> Hi all!
>
> I just read through the spec. and in section 8.6
> (http://openid.net/specs/openid-financial-api-part-2.html#jws-algorithm-con
> siderations) we recommend to use PS256 or ES256 as signing algorithms.
>
> Here
> "https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section
> -3.1" PS256 is marked as OPTIONAL.
>
> I would like to understand why we recommend PS256 rather than RS256,
> which
> is RECOMMENDED and widely used.
>
> I saw that issue #92 spoke about this topic but I did not really
> understood it I believe.
>
>
> Thanks,
> Sascha
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
More information about the Openid-specs-fapi
mailing list