Opened 10 years ago

Closed 10 years ago

#10 closed defect (wontfix)

Remove implementation requirements

Reported by: rbarnes@… Owned by: draft-ietf-jose-json-web-algorithms@…
Priority: major Milestone:
Component: json-web-algorithms Version:
Severity: - Keywords:


There has been long-standing agreement in the group that JWA algorithms should not have requirements levels. Instead, applications using JWE/JWS should specify which algorithms should be used.

Change History (3)

comment:1 Changed 10 years ago by michael.jones@…

Based upon recent IESG feedback to the OAuth working group, the IESG does appear to continue to want specifications to include sufficient mandatory-to-implement (MTI) features to facilitate interoperability. Also, as our area directors have pointed out, people should bear in mind that mandatory-to-implement is not the same thing as mandatory-to-use.

Finally, our charter currently requires us to define mandatory-to-implement (MTI) algorithms.

comment:2 Changed 10 years ago by rlb@…

(Speaking as an individual)

If you would like to get IESG feedback here, it would better to ask directly, instead of inferring from the OAuth case. The answer might be different.

I would propose to solve this problem in two parts:

  1. Have JWE / JWS / JWA be completely algorithm agnostic (no MTI)
  2. In an "implementation considerations" document, specify a recommended baseline suite of algorithms. (I would prefer RECOMMENDED, but I might acquiesce to REQUIRED if the base specs are agnostic.)

comment:3 Changed 10 years ago by ietf@…

  • Resolution set to wontfix
  • Status changed from new to closed

The IESG has had a discussion on this issue as part of the recent charter discussions. The chairs believe that is is clear from that discussions that MTI algorithms are going to be required in order for the documents to progress. For that reason we are closing this ticket.

Note: See TracTickets for help on using tickets.