For draft-ietf-jose-json-web-encryption-10, it looks like Mike has picked "option 3: Put all per-recipient info into one header; keep this header under the AEAD integrity check; have one nonce" [http://www.ietf.org/mail-archive/web/jose/current/msg02093.html]
I think there is a better choice. 1. Define a JOSE message for applying an AEAD algorithm. This is basically a current "alg":"dir" (direct) JWE message. There is no key exchange info. The JSON header is the AAD. <header>.<nonce>.<ciphertext> 2. Define a JOSE message for key exchange. Have key agreement, key transport, key wrapping, and password-based key options. A key exchange JOSE message can be concatenated with another JOSE message that uses the exchanged key (such as a JOSE message from point 1). <header>.<originator>.<recipient 1>[.<recipient 2>...].<JOSE message> This approach keeps integrity protection over the AEAD algorithm parameters, which just possibly might make some attacks harder. It doesn’t limit JOSE messages to a fixed set of recipients known up front (before any content is protected), which would otherwise prevent a bunch of use cases and privacy options. -- James Manger _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
