Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop the alg parameter. #33

Closed
mikewest opened this issue Dec 17, 2024 · 1 comment
Closed

Drop the alg parameter. #33

mikewest opened this issue Dec 17, 2024 · 1 comment

Comments

@mikewest
Copy link
Member

Section 7.3.6 of RFC9421 suggests that the alg parameter be included only if it's a relevant join in the application's logic, discouraging its usage in general ("... applications are encouraged to use other mechanisms such as static configuration or a higher-protocol-level algorithm specification instead, preventing an attacker from substituting the algorithm specified."). Given that we only support Ed25519, it probably makes sense to drop the parameter from our profile.
@mikewest
Copy link
Member Author

cc @ddworken, as this will change the signature-input (and therefore the signature base (and therefore the signature)) in your prototypes if/when we make the change.

@mikewest mikewest mentioned this issue Dec 20, 2024
Open
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 22, 2024
@mikewest @chromium-wpt-export-bot
[SRI Message Signatures] Drop the alg parameter.
74357de 
As per WICG/signature-based-sri#33, the plan
is to reject the `alg` parameter entirely, rather than locking it to a
single value.

Bug: 385160702
Change-Id: Iba57570fd8d0136b1d68e143a2fde5f48cd69806
Merged
aarongable pushed a commit to chromium/chromium that referenced this issue Dec 22, 2024
@mikewest
[SRI Message Signatures] Drop the alg parameter.
f27b95e 
As per WICG/signature-based-sri#33, the plan
is to reject the `alg` parameter entirely, rather than locking it to a
single value.

Bug: 385160702
Change-Id: Iba57570fd8d0136b1d68e143a2fde5f48cd69806
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6110599
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss (@Shopify) <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1399650}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 22, 2024
@mikewest @chromium-wpt-export-bot
[SRI Message Signatures] Drop the alg parameter.
863b1ec 
As per WICG/signature-based-sri#33, the plan
is to reject the `alg` parameter entirely, rather than locking it to a
single value.

Bug: 385160702
Change-Id: Iba57570fd8d0136b1d68e143a2fde5f48cd69806
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6110599
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss (@Shopify) <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1399650}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Dec 22, 2024
@mikewest @chromium-wpt-export-bot
[SRI Message Signatures] Drop the alg parameter.
dda5022 
As per WICG/signature-based-sri#33, the plan
is to reject the `alg` parameter entirely, rather than locking it to a
single value.

Bug: 385160702
Change-Id: Iba57570fd8d0136b1d68e143a2fde5f48cd69806
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6110599
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Yoav Weiss (@Shopify) <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1399650}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mikewest