I don’t see any need for this in JOSE. The lightweight nature is less important there and otherwise Ascon provides no advantages over existing AEADs.
If it goes ahead, I would very much oppose any tag size less than 128 bits. Short tags are only appropriate if there are alternative rate-limiting controls in place, which is not an assumption made in JOSE typically. Overall, this seems firmly in the COSE-specific camp. — Neil > On 10 Apr 2026, at 07:00, Dmytro OCHKAS <[email protected]> > wrote: > > Dear JOSE WG, > > I am a researcher at IMT Atlantique/IRISA in Rennes, France. In my team, we > are passionate about the security of constrained IoT networks. > After NIST had selected Ascon algorithms as a lightweight security standard, > we came up with an Ascon over COSE and JOSE draft [1][2]. > At IETF 123, the draft found some support within the COSE WG, so right now we > are working on its next version, which describes integrating Ascon-Hash256 > with JOSE and COSE. > > I am new to this working group, so I would appreciate getting your opinions > on the idea. > Do you think it is pertinent to have Ascon in JOSE? If yes, should we keep > Ascon over COSE and JOSE in the same document? > > In fact, with my team, we will most likely be present at IETF 126, so we are > planning to request a time slot to present the draft. > However, don't hesitate to start this discussion on the mailing list. > > In case you want to collaborate on the topic, feel free to contact me. > > All the best, > Dmytro Ochkas > > [1] - > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-232.pdf > [2] - https://datatracker.ietf.org/doc/draft-ochkas-cose-ascon/ > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
