independent

michael_b_jones@hotmail.com https://self-issued.info/

Transmute

orie@transmute.industries

Security JOSE Working Group Cryptographic Algorithm Identifiers JSON Object Signing and Encryption (JOSE) CBOR Object Signing and Encryption (COSE) Internet-Draft This specification refers to cryptographic algorithm identifiers that fully specify the cryptographic operations to be performed, including any curve, key derivation function (KDF), hash functions, etc., as being "fully specified". Whereas, it refers to cryptographic algorithm identifiers that require additional information beyond the algorithm identifier to determine the cryptographic operations to be performed as being "polymorphic". This specification creates fully-specified algorithm identifiers for all registered JOSE and COSE polymorphic algorithm identifiers, enabling applications to use only fully-specified algorithm identifiers.

The IANA algorithm registries for JOSE and COSE contain two kinds of algorithm identifiers: Those that fully determine the cryptographic operations to be performed, including any curve, key derivation function (KDF), hash functions, etc. Examples are RS256 and ES256K in both JOSE and COSE and ES256 in JOSE. Those requiring information beyond the algorithm identifier to determine the cryptographic operations to be performed. Such additional information could include the actual key value and a curve that it uses. Examples are EdDSA in both JOSE and COSE and ES256 in COSE. This matters because many protocols negotiate supported operations using only algorithm identifiers. For instance, OAuth Authorization Server Metadata uses negotiation parameters like these (from an example in the specification):

OpenID Connect Discovery likewise negotiates supported algorithms using alg and enc values. W3C Web Authentication and FIDO Client to Authenticator Protocol (CTAP) negotiate using COSE alg numbers. This does not work for polymorphic algorithms. For instance, with EdDSA, you do not know which of the curves Ed25519 and/or Ed448 are supported! This causes real problems in practice. WebAuthn contains this de-facto algorithm definition to work around this problem:

This redefines the COSE EdDSA algorithm identifier for the purposes of WebAuthn to restrict it to using the Ed25519 curve - making it non-polymorphic so that algorithm negotiation can succeed, but also effectively eliminating the possibility of using Ed448. Other similar workarounds for polymorphic algorithm identifiers are used in practice. This specification creates fully-specified algorithm identifiers for all registered polymorphic JOSE and COSE algorithms and their parameters, enabling applications to use only fully-specified algorithm identifiers. It furthermore deprecates the practice of registering polymorphic algorithm identifiers.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

This section creates fully-specified digital signature algorithm identifiers for all registered polymorphic JOSE and COSE algorithms and their parameters.

defines the current use of the Elliptic Curve Digital Signature Algorithm (ECDSA) by COSE. The COSE algorithm registrations for ECDSA are polymorphic, since they do not specify the curve used. For instance, ES256 is defined as "ECDSA w/ SHA-256" in Section 2.1 of . (The corresponding JOSE registrations in are full-specified.) The following fully-specified COSE algorithms are defined: Name COSE Value Description COSE Recommended ESP256 TBD (requested assignment -9) ECDSA using P-256 curve and SHA-256 Yes ESP384 TBD (requested assignment -48) ECDSA using P-384 curve and SHA-384 Yes ESP512 TBD (requested assignment -49) ECDSA using P-521 curve and SHA-512 Yes

defines the current use of the Edwards-Curve Digital Signature Algorithm (EdDSA) by JOSE and defines its current use by COSE. Both register polymorphic EdDSA algorithm identifiers. The following fully-specified JOSE and COSE algorithms are defined: Name COSE Value Description JOSE Implementation Requirements COSE Recommended ES25519 TBD (requested assignment -50) EdDSA using Ed25519 curve Optional No ES448 TBD (requested assignment -51) EdDSA using Ed448 curve Optional No

This section registers the following values in the IANA "JSON Web Signature and Encryption Algorithms" registry .

Algorithm Name: ES25519 Algorithm Description: EdDSA using Ed25519 curve Algorithm Usage Locations: alg JOSE Implementation Requirements: Optional Change Controller: IESG Reference: of [[ this specification ]] Algorithm Analysis Document(s):   Algorithm Name: ES448 Algorithm Description: EdDSA using Ed448 curve Algorithm Usage Locations: alg JOSE Implementation Requirements: Optional Change Controller: IESG Reference: of [[ this specification ]] Algorithm Analysis Document(s):

The following registration is updated to change its status to Deprecated. Algorithm Name: EdDSA Algorithm Description: EdDSA signature algorithms Algorithm Usage Locations: alg JOSE Implementation Requirements: Deprecated Change Controller: IESG Reference: Section 3.1 of RFC8037 Algorithm Analysis Document(s):

This section registers the following values in the IANA "COSE Algorithms" registry .

Name: ESP256 Value: TBD (requested assignment -9) Description: ECDSA using P-256 curve and SHA-256 Reference: of this document Recommended: Yes   Name: ESP384 Value: TBD (requested assignment -48) Description: ECDSA using P-384 curve and SHA-384 Reference: of this document Recommended: Yes   Name: ESP512 Value: TBD (requested assignment -49) Description: ECDSA using P-521 curve and SHA-512 Reference: of this document Recommended: Yes   Name: ES25519 Value: TBD (requested assignment -50) Description: EdDSA using Ed25519 curve Reference: of this document Recommended: Yes   Name: ES448 Value: TBD (requested assignment -51) Description: EdDSA using Ed448 curve Reference: of this document Recommended: Yes

The following registrations are updated to change their status to Deprecated. Name: ES256 Value: -7 Description: ECDSA w/ SHA-256 Reference: RFC 9053 Recommended: Deprecated   Name: ES384 Value: -35 Description: ECDSA w/ SHA-384 Reference: RFC 9053 Recommended: Deprecated   Name: ES512 Value: -36 Description: ECDSA w/ SHA-512 Reference: RFC 9053 Recommended: Deprecated   Name: EdDSA Value: -8 Description: EdDSA Reference: RFC 9053 Recommended: Deprecated

The review instructions for the designated experts for the IANA "JSON Web Signature and Encryption Algorithms" registry in Section 7.1 of are updated to add this additional review criterion: Registration requests for polymorphic algorithm identifiers must not be accepted; only fully-specified algorithm identifiers may be registered going forward. The review instructions for the designated experts for the IANA "COSE Algorithms" registry in Section 10.4 of are also updated to add the same additional review criterion.

Using fully-specified algorithm identifiers reduces the attack surface relative to using polymorphic algorithm identifiers, since it reduces the opportunity for attackers to choose algorithms. The security considerations for ECDSA in , for EdDSA in , and for ECDSA and EdDSA in apply.

Future versions of this specification may cover these additional topics: What other polymorphic algorithm registrations have we missed? Discuss why varying RSA key sizes don't necessitate per-key-size algorithm identifiers. Discuss the treatment of EDCH-ES and its ephemeral keys.

IANA IANA NAT.Consulting Yubico independent Illumila PayPal

jdhodges@google.com

Mozilla

jc@mozilla.com

Microsoft

mbj@microsoft.com http://self-issued.info/

Microsoft

akshayku@microsoft.com

Yubico

emil@yubico.com

Yubico

jbradley@yubico.com

PayPal

jdhodges@google.com

Microsoft

mbj@microsoft.com http://self-issued.info/

Microsoft

akshayku@microsoft.com

OneSpan

johan.verrept@onespan.com

[[ to be removed by the RFC Editor before publication as an RFC ]] -00 Initial version.

The authors thank John Bradley, Brian Campbell, and Tobias Looker for their contributions to this specification.