staltz
commented
3 years ago I also suggest to spell out , in your description of BendyButt, the signing algorithm, ideally using an established name and format from the RFC world, and avoid referring to a specific implementation as a way of defining it.
This is a low-hanging fruit, thanks!
It would be good (and best practice) to explicitly encode the signing algorithm into the payload to be signed. See JOSE or COSE
I haven't read yet about JOSE/COSE, but on a design level I agree with your suggestion. On an implementation level, it depends how busy are we and what are the tradeoffs of tweaking the protocol versus getting-things-done, so I defer my vote until we have heard from the other developers in our group.
It would be good (and best practice) to explicitly encode the signing algorithm into the payload to be signed. See JOSE or COSE
I also suggest to spell out , in your description of BendyButt, the signing algorithm, ideally using an established name and format from the RFC world, and avoid referring to a specific implementation as a way of defining it.