Re: [jose] Question on enc location

Tue, 23 Jul 2013 08:30:36 -0700 

For the first, no - it's missing the required "recipients" element.

For the second, no - the "recipients" value is missing the required 
"encrypted_key" value.

Answering Richard's comment - I expect that in most cases people will put 
elements such as "enc" that are common between all recipients in either the 
"protected" or "unprotected" top-level headers, but this isn't a requirement.  
In the worst case, should a sender use different "enc" values for different 
recipients, the result will be that the JWE will fail to decrypt for all the 
recipients in which the "enc" value is incorrect.

                                                            -- Mike

From: Jim Schaad [mailto:[email protected]]
Sent: Tuesday, July 23, 2013 5:23 AM
To: 'Richard Barnes'; Mike Jones
Cc: [email protected]
Subject: RE: [jose] Question on enc location

As a follow up.   Is this legal?

{
  Header: <alg:"direct", enc:"AES-GCM"},
  IV: ..., tag:..., payload:...
}

Or is the line

Recipients:[{}],

Required?

From: Richard Barnes [mailto:[email protected]]
Sent: Tuesday, July 23, 2013 5:04 AM
To: Mike Jones
Cc: Jim Schaad; [email protected]<mailto:[email protected]>
Subject: Re: [jose] Question on enc location

In which case, it seems like it should be in the top level header, to avoid 
having it repeated every time.

In general, it seems like there are "content" parameters (e.g., enc, zip, cty) 
that should go at the top level, and "key" parameters that should be 
per-recipient (e.g., alg, epk, salt).  It would be helpful to implementors to 
be clear about what goes where.



On Monday, July 22, 2013, Mike Jones wrote:
No - just that the "enc" field for all recipients be the same.

From: 
[email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>
 
[mailto:[email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>]
 On Behalf Of Jim Schaad
Sent: Monday, July 22, 2013 4:33 PM
To: [email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>
Subject: [jose] Question on enc location

Is there supposed to be a requirement in the JWE specification that the enc 
field be in the common protected (or unprotected) header and no in the 
individual recipient header information?

Jim


_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to