Yes for encryption (Leaving ECDH-SS aside ) the recipoient decrypts with a secret. I would expect a kid in the header.
I suppose they if the recipient published a x5c that the sender used to encrypt with then you could include the x5c as a reference though a thumbprint would be simpler as the recipient is probably keeping its private keys in a key-store of some sort. In any event we would minimally want to change that to > "The certificate containing the public key of the entity that is to decrypt > the JWE MUST be the first certificate." Thanks Brian John B. On 2013-01-29, at 11:08 PM, Brian Campbell <[email protected]> wrote: > I just noticed a couple of things in the JWE's x5c definition that struck me > as maybe not right. > > From > http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-08#section-4.1.9 > > "The certificate containing the public key of the entity that encrypted the > JWE MUST be the first certificate." - but it's not the public key of the > entity that encrypted, is it? It's the public key of the entity that will > decrypt. The other entity. > > "The recipient MUST verify the certificate chain according to [RFC5280] and > reject the JWE if any validation failure occurs." - maybe I'm missing > something but why would the recipient verify it's own certificate chain? > > And the first hyperlink in "See Appendix B of [JWS] for an example "x5c" > value" takes you to Appendix B of JWE, which is Acknowledgements, rather than > JWS as the text would suggest. > > So all those little nits could be fixed. But maybe it'd be better to just > remove x5c from JWE all together? As Richard pointed out previously, > http://www.ietf.org/mail-archive/web/jose/current/msg01434.html, there's > really no point in sending a whole chain to help the recipient identify its > own key. > > > > > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
