Hi Filip, This proposal makes sense to me and seems proportionate given how deployment environments are evolving.
While SHA-256 remains widely acceptable today, a growing number of higher-assurance environments are already moving toward stronger cryptographic baselines. In particular, environments aligned with CNSA-class guidance and similar national security profiles are increasingly standardizing on larger hash sizes and stronger primitives across protocols. Providing a path to use SHA-512 (or equivalent) in OAuth mechanisms such as PKCE, mTLS confirmation, and DPoP feels like a natural step toward crypto-agility. Importantly, the draft does not force a change on existing deployments. Instead, it provides an interoperable way for ecosystems that require stronger cryptographic assurances to adopt them without needing bespoke profiles or extensions. That seems entirely consistent with the direction OAuth security guidance has taken in recent years—incrementally strengthening defaults while maintaining backwards compatibility. In practice we are already seeing ecosystem, particularly regulated financial and government environments, apply stricter cryptographic requirements through profiles. Standardizing the ability to use stronger hashes at the protocol level reduces fragmentation and avoids the need for each ecosystem to invent its own extensions. Overall this looks like a reasonable and forward-looking addition that improves crypto agility without disrupting existing deployments. +1 from my side. Best, Ralph Ralph Bragg Chief Technology Officer M. +447890130559 T. +44 20 4583 6770 [email protected]<mailto:[email protected]> [https://storage.letsignit.com/icons/designer/socials/Linkedin--circle--black.png]<https://cloud.letsignit.com/collect/bc/652d0421e161c54081b81962?p=TMTQYP7uhVuEibYQ91RsC3IoNUOt5RBT8PxKu46ijB200WFOdFgfuybDSNA7VsIsDfVuTvGEfkoMzngn2LEx6sZgJoSeY6SRq4DADGvENbcrCp3R8bPY3ukqcgnAE1QBOE1aeRl-_3D7UXCGJdZ1M7e1qUDa1Q4HzoARy0RaSJE=> [https://storage.letsignit.com/5fd527570105a500075428f0/generated/effects_08e3e03b4f71b6a89cf4bd9f429daac0a7f6dd1ccb38a410fc760991.png] The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future.
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
