Noticed a lot of discussion online today about RSA encryption and some people’s opinions about its weaknesses (e.g., “don’t ever use it” etc) . I would much rather use public/private key than symmetric key signatures because the latter requires me to maintain yet another secret, however, so I’m just wondering what people think of using the “RS256” option for JWT signing? Maybe that is too open-ended a question…
Hi @troy.motte,
Thanks for joining us in the Auth0 Community and bringing this discussion topic. I am reaching out to some folks that should hopefully provide some pointed thoughts.
Thanks,
Dan
Although I think I know and read at least one of the discussions you hint to, I’ll just share my personal opinion because I’m far from an expert in crypto.
On the discussion I read, although I confess I only skimmed through it, there seemed to be a focus on the usage of RSA within TLS which likely needs to be considered separately from the usage of RSA in JWT signing so I’m unsure of how much of the bad things I read about would directly apply to this scenario.
In conclusion, I think those discussions are meant to motivate the adoption of more recent approaches to crypto which in theory may be better. However, newer also likely means less tested so the only guarantee we have is that online security is a moving target and what holds today will likely not hold tomorrow (hopefully, not tomorrow, but a bit more into the future).
Actually having looked around some more, maybe it would be good if Auth0 considers support for the elliptic-curve variations in the JWA standard, e.g. ES256 or something. Although I haven’t checked to see if how easily I can find an implementation of such.
The last time I checked, maybe a month or two ago, there were no immediate plans to add support to those algos, but there are some new specifications around OpenID connect I believe that chose those algorithms over RS* so the inexistent plans at the moment does not mean that there won’t be support for ES* in the future. If you haven’t done so already, I would recommend you to leave feedback about this through Auth0: Secure access for everyone. But not just anyone. as that has guaranteed review by our product team and could help them better understand demand.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.