On Tue, Feb 11, 2025 at 12:22:48PM +0530, tirumal reddy wrote: > Hi all, > > We have published a new draft > https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ that > introduces a mechanism to support detached AAD in JWE. This allows the AAD > to be derived from context-specific information instead of being > transmitted in-band. The mechanism is particularly useful in scenarios such > as OpenID for Verifiable Credentials (OID4VC), where a verifier must > validate context information without relying on in-band AAD. > > Comments and suggestions are welcome.
Some quick comments: - Remove stuff about JWE serialization. This should work in terms of abstract JWE messages. - Remove the "detached_aad" parameter. It only seems useful for attacks. - Change the implicit-only AEP construction. Right now it can collide with stock JWE AEP construction, which is unsound. -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
