JWE conveys an IV parameter but is silent on who generates the random IV value.
An API that allows the creator of an encrypted object to request that a random
IV be automatically generated by the library is probably fine. Similarly,
letting the library generate the random CMK is probably also fine.
-- Mike
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
[email protected]
Sent: Friday, September 14, 2012 5:57 AM
To: [email protected]
Subject: [jose] API question re
Hi,
Some algorithms used in JOSE allow random data to be used.
Examples are IVs and CMKs.
My question: in an API for JOSE should I always generate all values that can be
random randomly or should e.g. the IV be a parameter and I trust the developer
using the API to provide secure and applicable values?
My current plan is to have a parameter "SecureRandom sr" in all public methods
and generate all algorithm parameters randomly where that is possible.
So in an application server you can initialize the SecureRandom once and use it
in all requests.
Thanks
Axel
https://code.google.com/p/jsoncrypto/source/browse/trunk/src/org/jsoncrypto/JcBase.java
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
