Skip to content

FAPI not currently compliant with CNSA 2.0 #844

Description

@bitbucket-import-issues

Originally submitted by josephheenan (Joseph Heenan) on 2026-03-16

As mentioned at IETF OAuth WG call today
https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF disallows the use of SHA256 in favour of SHA-384 or SHA-512 which I believe may means FAPI can't be used in environments that have policies that require CNSA 2.0 compliance (e.g. PKCE requires SHA256).

https://datatracker.ietf.org/doc/draft-skokan-oauth-additional-hashes/ is part of the potential fix for that.

This is probably something we consider as part of general support for post-quantum?


Bitbucket status: open

Bitbucket origin: issue 856

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions