Last night I saw a ticket from a developer who was trying to set the IV for the JWE content encryption by passing the value through the "iv" header parameter.
My understanding is that this is not standard behavior, but still, is this is a sensible method to allow developers to set the IV? (if set by the developer the "iv" header parameter is to be removed before the JWE is created). This method of course will have problems when AES/GCM key wrap is used, as then there will be no way to set two nonces via the "iv" header. https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/158/jwe-iv-remains-in-jwe-header Vladimir _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
