paragonie-security
commented
2 years ago We've been clear enough with our intentions to develop extensions (e.g. PASERK) for missing features that, hopefully, this won't confuse anyone.
Closed paragonie-security closed 2 years ago
paragonie-security
commented
2 years ago We've been clear enough with our intentions to develop extensions (e.g. PASERK) for missing features that, hopefully, this won't confuse anyone.
Is it worthwhile for us to specify non-goals and features we will not consider for inclusion?
For example: At the top of the list is something analogous to JWT's
jkuclaim. This can have a devastating impact on security, as Ryan Sleevi points out with OIDC-Discovery. We're generally better off leaving ajkuequivalent out of PASETO entirely.(What we may do instead is write a future PASETO extension that piggybacks on Gossamer to distribute public keys in an auditable and transparent way.)