On Mon, Dec 9, 2024 at 2:57 PM Eliot Lear <lear@xxxxxxx> wrote:
Yes. and now we are repeating the SAAG discussion in its entirety.
Like we don't repeat it there every 6 months.
I haven't waded in this time round. But as I always say, the solution to these issues is to design the protocol so you can use an OID as an algorithm identifier.
The big advantage of OIDs for algorithms is that anyone can define them without IETF involvement and thus the issue of endorsement simply doesn't come up.
XML Signature uses URIs and there is an OID URI.
For other protocols which use labels, I would construct a single registry for all algorithms with the JOSE and COSE tags and tell all apps going that route to use them. And I would make that specification required, again to avoid endorsement.