>
> Ouch, I hadn't seen this. The WebCrypto group really did a number on the
> registry. Thankfully most of them (including RS1) are only registered for JWK
> usage and marked as Prohibited. (What does it even mean for things like
> "A128CBC" to be registered as a JWK "alg" value?)
>
> [JLS] One can have a JWK which contains a symmetric key so in that case an
> βalgβ value of βA128CBCβ makes sense. Only use this key with this algorithm.
>
OK, off-topic but this reveals an ambiguity in the JWK spec. Section 4.4 of RFC
7517 describing the JWK "alg" parameter just says that the values should be
registered in the "JSON Web Signature and Encryption Algorithms" registry, but
as this registry contains both JWE Algorithms ("alg" in JWE) and Content
Encryption Methods ("enc"), it is ambiguous which is allowed. I have always
assumed that only JWE/JWS "alg" values where allowed in a JWK "alg" claim, but
I guess the wording would also allow you to put an "enc" value in there. I
presume that's what the WebCrypto spec is intending with these registrations,
rather than registering "A128CBC" etc as key-wrapping algorithms?
-- Neil_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
