Hi Ilari, Thanks for the review. Please see inline
On Tue, 11 Feb 2025 at 23:26, Ilari Liusvaara <[email protected]> wrote: > On Tue, Feb 11, 2025 at 12:22:48PM +0530, tirumal reddy wrote: > > Hi all, > > > > We have published a new draft > > https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ that > > introduces a mechanism to support detached AAD in JWE. This allows the > AAD > > to be derived from context-specific information instead of being > > transmitted in-band. The mechanism is particularly useful in scenarios > such > > as OpenID for Verifiable Credentials (OID4VC), where a verifier must > > validate context information without relying on in-band AAD. > > > > Comments and suggestions are welcome. > > Some quick comments: > > - Remove stuff about JWE serialization. This should work in terms of > abstract JWE messages. > "Abstract JWE messages" is not a well-defined term in the context of JWE as specified in RFC 7516. > > - Remove the "detached_aad" parameter. It only seems useful for attacks. > "detached_aad" is in the JWE protected header, please elaborate on the attack. > > - Change the implicit-only AEP construction. Right now it can collide > with stock JWE AEP construction, which is unsound. > I don't get the comment, please clarify. -Tiru > > > > -Ilari > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
