Hello Linda, Thanks for the review. Speaking on the author's behalf, SHA-2 is defined as the collection of hash algorithms, including all of those cited (SHA-256, SHA-384, SHA-512). Do you believe it is critical to call this out explicitly? - m&m Matthew A. Miller On 20/05/26 17:51, Linda Dunbar via Datatracker wrote: > Reviewer: Linda Dunbar > Review result: Not Ready > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > This document is to list down the COSE&JOSE Algorithms to be registered to > IANA. But it seems the description is not complete. In the Section 2: among the > 4 algorithms listed under RSASSA-PKCS1-v1_5, three are NOT recommended, one is > deprecated. Under the Security Consideration (Section 5), Section 5.2 describes > why SHA-2 is "Not Recommended", Section 5.3 describes why SHA-1 is > "Deprecated". What about the description on why SHA-512, SHA-384, and SHA-256 > are not recommended? Is the missing description intended? > > Best Regards, > > Linda Dunbar > > > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
