EdDSA is defined in RFC 8037 and is registered in the JOSE IANA registry. That's the requirement for being a JWT signing algorithm and to build upon the original JWA spec.
I agree, EdDSA is, unfortunately, not that widespread in the developer community right now. Which leads to my recommendation of "Use EdDSA where possible and use ECDSA when it is not".
Yeah my point is that is only the case when you can control who uses your tokens. When you can't, you have to assume at least some users will be unable to use EdDSA.
IMHO the cryptographic arguments for preferring that over ECDSA in the context of authentication/authorization use cases are not that compelling. When we are talking about protecting financial assets stored in a blockchain, you want the strongest thing humanly possible; which is probably why they picked it. Or put differently, if somebody is trying to break crypto to hack your JWTs, you have some interesting other problems to worry about probably.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks for the comment 🙂
EdDSA is defined in RFC 8037 and is registered in the JOSE IANA registry. That's the requirement for being a JWT signing algorithm and to build upon the original JWA spec.
I agree, EdDSA is, unfortunately, not that widespread in the developer community right now. Which leads to my recommendation of "Use EdDSA where possible and use ECDSA when it is not".
Yeah my point is that is only the case when you can control who uses your tokens. When you can't, you have to assume at least some users will be unable to use EdDSA.
IMHO the cryptographic arguments for preferring that over ECDSA in the context of authentication/authorization use cases are not that compelling. When we are talking about protecting financial assets stored in a blockchain, you want the strongest thing humanly possible; which is probably why they picked it. Or put differently, if somebody is trying to break crypto to hack your JWTs, you have some interesting other problems to worry about probably.