[Openid-specs-fapi] Issue #473: FAPI2 JWS alg choices are much wider than FAPI1 (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Sat Feb 5 10:19:58 UTC 2022
New issue 473: FAPI2 JWS alg choices are much wider than FAPI1
https://bitbucket.org/openid/fapi/issues/473/fapi2-jws-alg-choices-are-much-wider-than
Joseph Heenan:
FAPI1Adv allowed only ‘PS256’ and ‘ES256’.
FAPI2Baseline says:
This seems to allow a much wider choice of algorithms, including possibly RS256 that was explicitly \(and somewhat painfully for some implementers/deployments\) dropped from FAPI1 due to concerns over RSASSA-PKCS1-v1\_5 like those expressed in [https://www.rfc-editor.org/rfc/rfc8017#section-8](https://www.rfc-editor.org/rfc/rfc8017#section-8) \(I’m not sure if that section is considered mandatory to comply with in FAPI2Baseline, if it is this could be a case where it’d be easier for everyone if a clear requirement similar to that in FAPI1 was used instead\).
More information about the Openid-specs-fapi
mailing list