These points are now clarified in the -14 drafts.
-- Mike
From: Mike Jones
Sent: Tuesday, July 23, 2013 2:33 PM
To: 'Jim Schaad'; 'Richard Barnes'
Cc: [email protected]<mailto:[email protected]>
Subject: RE: [jose] Question on enc location
For the second, you're right - you don't need encrypted_key. I'll plan to be
clear on that (and the other fields that are omitted for some algorithms) for
the JSON Serializations. I believe you still need "recipients" - for
consistency reasons, even if the array elements contain an empty object.
-- Mike
From: Jim Schaad [mailto:[email protected]]
Sent: Tuesday, July 23, 2013 1:48 PM
To: Mike Jones; 'Richard Barnes'
Cc: [email protected]<mailto:[email protected]>
Subject: RE: [jose] Question on enc location
But in this case I don't think that I need an encrypted key value because I am
using direct.
From: Mike Jones [mailto:[email protected]]
Sent: Tuesday, July 23, 2013 8:29 AM
To: Jim Schaad; 'Richard Barnes'
Cc: [email protected]<mailto:[email protected]>
Subject: RE: [jose] Question on enc location
For the first, no - it's missing the required "recipients" element.
For the second, no - the "recipients" value is missing the required
"encrypted_key" value.
Answering Richard's comment - I expect that in most cases people will put
elements such as "enc" that are common between all recipients in either the
"protected" or "unprotected" top-level headers, but this isn't a requirement.
In the worst case, should a sender use different "enc" values for different
recipients, the result will be that the JWE will fail to decrypt for all the
recipients in which the "enc" value is incorrect.
-- Mike
From: Jim Schaad [mailto:[email protected]]
Sent: Tuesday, July 23, 2013 5:23 AM
To: 'Richard Barnes'; Mike Jones
Cc: [email protected]<mailto:[email protected]>
Subject: RE: [jose] Question on enc location
As a follow up. Is this legal?
{
Header: <alg:"direct", enc:"AES-GCM"},
IV: ..., tag:..., payload:...
}
Or is the line
Recipients:[{}],
Required?
From: Richard Barnes [mailto:[email protected]]
Sent: Tuesday, July 23, 2013 5:04 AM
To: Mike Jones
Cc: Jim Schaad; [email protected]<mailto:[email protected]>
Subject: Re: [jose] Question on enc location
In which case, it seems like it should be in the top level header, to avoid
having it repeated every time.
In general, it seems like there are "content" parameters (e.g., enc, zip, cty)
that should go at the top level, and "key" parameters that should be
per-recipient (e.g., alg, epk, salt). It would be helpful to implementors to
be clear about what goes where.
On Monday, July 22, 2013, Mike Jones wrote:
No - just that the "enc" field for all recipients be the same.
From:
[email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>
[mailto:[email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>]
On Behalf Of Jim Schaad
Sent: Monday, July 22, 2013 4:33 PM
To: [email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>
Subject: [jose] Question on enc location
Is there supposed to be a requirement in the JWE specification that the enc
field be in the common protected (or unprotected) header and no in the
individual recipient header information?
Jim
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
