AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.41k stars 345 forks source link

Is MSAL ready for hybrid and postquantum PKI? #3848

Open 3BK opened 1 year ago

3BK commented 1 year ago

It appears that MSAL uses algorithms like RS256.

Is MSAL ready for hybrid and postquantum PKI?

references https://www.ietf.org/archive/id/draft-prorock-cose-post-quantum-signatures-01.txt https://dl.acm.org/doi/abs/10.1007/978-3-031-20974-1_20 https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

SameerK-MSFT commented 1 year ago

Interesting question. @SaeedAkhter-MSFT do you have any input on this? Thx

bgavrilMS commented 1 year ago

Afaik AAD only supports RSA and is building support for ECD certs, so no, no post-quantum yet.

3BK commented 1 year ago

It's probably a roadmap alignment "thang"

CNSA 2.0 Roadmap Software and firmware-signing

Web browsers/servers and cloud services:

Operating systems:

AAD Roadmap

3BK commented 1 year ago

AAD ... is building support for ECD certs,

That's hopefully a step in the right direction - towards hybrid PKI

3BK commented 1 year ago

Don't forget to refresh your hardware roadmap. ;)

bgavrilMS commented 1 year ago

Well, it's not just AAD. Clients (web sites, web apis) need to have new crypto stacks to be able to request tokens using signed assertions (a signed assertion is just another JWT, but one that the client generates). And RPs need to have it as well, to be able to verify signatures....

3BK commented 1 year ago

Agreed. Hybrid (and/or post quantum) are substantial changes. (Probably driven by Balanced Scorecard goals.)