Skip to content
Connect2id

Roadmap

1. JOSE algorithms

1.1 ML-DSA for JWS

draft-ietf-cose-dilithium is a family of PQC digital signature algorithms based on US NIST FIPS 204.

1.2 SLH-DSA for JWS

draft-ietf-cose-sphincs-plus is a family of PQC digital signature algorithms based on US FIPS 205.

1.3 HPKE for JWE

draft-ietf-jose-hpke-encrypt is a family of PQC algorithms for Hybrid Public Key Encryption (HPKE).

1.4 KEM for JWE

draft-ietf-jose-pqc-kem is a family of PQC algorithms using Module-Lattice-based Key Encapsulation Mechanisms (ML-KEMs).

1.5 Synthetic IV (SIV) encryption modes for JWE

draft-madden-jose-siv-mode is an expired draft that ports the AES/SIV mode to JOSE. Provides deterministic authenticated encryption and key-wrapping, as well as nonce-based misuse-resistant authenticated encryption, depending on how the cipher is set up.

1.6 Fully-specified algorithms for JWS

RFC 9864 defines the Ed25519 and Ed448 JWS algorithm names, deprecating the EdDSA name defined in RFC 8037.

2. API

2.1 Upgrade to Java 8

Intended to make use of language facilities and classes (such as Instant) available in Java 8. The super ticket for suggestions and to track the work is here.

2.2 JSON SPI

Investigating the path for an SPI-pluggable JSON parsing and serialisation provider, instead of using a shaded JSON library (currently GSon). This would enable quick updating or replacement of the underlying JSON library in the case of a JSON-processing related vulnerability discovery.

2.3 Fluent API

A fluent API to mint and process JOSE objects and JWTs.

2.4 Logging and metrics extension points

More simple extension points to log or meter events such as:

  • Signature verification failures by reason.
  • JOSE object / JWT parse failures.

2.5 Annotations

For example:

  • @JWTClaimSet and @JWTClaim to turn a Java object with selected fields into a JWT claims set.

  • @Experimental to mark implementations of JOSE drafts.

3. Build

3.1 Reproducible builds

This ensures that anyone can rebuild the software from the published source and obtain bit-for-bit identical artifacts.

3.2 Build attestation

To record how and where each artifact was built, including the source revision, build environment, and workflow identity. Allows verification of the authenticity and provenance of library binaries.

4. Benchmark suite

Create a benchmark suite to test the relative performance of the supported JWS and JWE algorithms, including the performance of HSM-based providers.