Comments (2)
From the outside, it looks like your goal is to provide versioning, but instead of a version number you use a named cipher suite. Some kind of readable versioning. To this end, the best description I can think of is "Provide an upgrade path".
Now I must confess I'm not the biggest fan of readable names as version numbers. Without cryptographic knowledge users won't be able to tell which cipher suite is the latest, and that might cause problems down the line — or at least require you to be crystal clear which is which, and guide the upgrade path with an iron fist, say by frowning really strongly at implementers who don't default to the latest cipher suite like the specs says they should.
This could be remedied by prefixing the cipher suite name with the version number. Say, "alg": "v1 ES256"
instead of the current "alg": "ES256"
. It's more characters unfortunately, but I personally see any other way.
Also, I noticed that you have both hashes and signatures. They appear to be completely disjoint. It would make sense then to let the version numbers be uncorrelated. For instance, if cryptographically relevant quantum computers ever become reality, you'll have to change the signature, but the hash might very well survive. In this case you would get "alg": "v2 PQ_LAT"
and "alg": "v1 SHA256"
respectively. I personally wouldn't bother synchronising the version numbers.
(Edit: that being said, I wouldn't fault you for deciding that version number prefixes are ugly, and stick to the descriptive names anyway. I've used a lot of words, but to be honest I was nitpicking more than I was actually criticising.)
from coze.
or at least require you to be crystal clear which is which, and guide the upgrade path
Yes, that is the goal.
And yes, from the other forum, my hope for Coze is to provide descriptive names as versions. I'm also in agreement with you on the method of upgrading that the only safe way "is to break users overnight, and force all providers to upgrade now. Coordinated release, CVE style." That's another reason why version numbers don't seem helpful. The other case of a totally broken algorithm should cause Coze to mark that value for "alg" as insecure and prohibit from further use.
I'd advocate that problems with Coze should be fixed while coordinating with implementations. Seperately, problems with primitive implementation needs to be addressed by implementors (if there's a problem with a Go implementation of Coze, Go Coze needs to work on the fix).
Coze assigns a hashing and a signing algorithm to a Coze signing "alg" ("ES256" is assigned SHA-256 and ECDSA P-256) which is used for all Coze related operations). If there was an application that was using ECDSA P256 with SHA-512/256 instead of SHA-256 that would require a new "alg" value, for example, something like "alg":"ES256_SHA-512/256".
from coze.
Related Issues (20)
- MapItem is unsafe, and MapSlice does not have a well-defined order HOT 53
- JSON round-trip fails for MapSlice HOT 4
- Make new repositories for the specification and implementations
- JSON doesn't define "integer" -- int values need to be strings HOT 11
- Use JSONv2 when production ready HOT 2
- Further constraints on Ed25519
- Base64 encoding can only elide padding when the size of encoded data is known HOT 7
- Enforce Canonical Base 64 encoding. HOT 3
- Think about adding "MustMarshal" and "MarshalPretty"
- Consider documenting that `rvk` denotes expiry for Coze keys. HOT 2
- implement pure python or python wrapper lib HOT 2
- implement kyber (liboqs) ciphers for Coze HOT 3
- Unsigned Alg and Tmb
- Active HOT 5
- Duplicate JSON keys create misleading verification results in the web UI HOT 1
- Issues HOT 2
- 404 in Readme.md HOT 1
- Locally hosted Cyphr.me's verifier.
- Godoc in 1.19 does not appear to link to packages as documented.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coze.