On Mon, Oct 30, 2023 at 04:54:21PM -0600, Brian Campbell wrote: > On Mon, Oct 30, 2023 at 8:20 AM Ilari Liusvaara <[email protected]> > wrote: > > > On Mon, Oct 30, 2023 at 07:55:09AM -0600, Brian Campbell wrote: > > > On Tue, Oct 24, 2023 at 4:46 AM Ilari Liusvaara < > > [email protected]> > > > wrote: > > > > For algorithm to be suitable for direct encryption, one would need > > algorithm meant for bulk encryption that is either MRAE or has > > large nonces. There are none currently. > > > > Are the AES_CBC_HMAC_SHA2 Algorithms > <https://datatracker.ietf.org/doc/html/rfc7518#section-5.2> in JWE unsafe > with Direct Encryption? I guess that asking the question does suggest that > more guidance would be useful. But I've generally assumed that it was okay. > JWA does kinda mention nonce/IV reuse and limiting the number of > invocations in its AES GCM Security Considerations > <https://datatracker.ietf.org/doc/html/rfc7518#section-8.4> but that's only > about GCM.
Oops, missed those, AES-CBC-HMAC should be OK (albeit being somewhat slow). However, the rest all have one or other of the issues (including everything available in COSE). -Ilari _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
