Hi, I reviewed the specification and overall, it makes sense to me and find it very useful in the situations that were outlined in the spec.
A few things I found when reading the spec: * inconsistent use of protected header names in some places: detached_aad vs aad_detached * the example for JWE compact serialization could probably be simplified by using base64 for the canonicalization algorithm of the external context JSON structure. Otherwise, it looks great. What is the status of this document? Was it presented to the JOSE WG and where can I find the feedback? Thanks, Oliver ________________________________ From: tirumal reddy <[email protected]> Sent: Tuesday, February 11, 2025 7:52 AM To: JOSE WG <[email protected]> Subject: [jose] Fwd: New Version Notification for draft-reddy-jose-detached-aad-00.txt EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Hi all, We have published a new draft https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ that introduces a mechanism to support detached AAD in JWE. This allows the AAD to be derived from context-specific information instead of being transmitted in-band. The mechanism is particularly useful in scenarios such as OpenID for Verifiable Credentials (OID4VC), where a verifier must validate context information without relying on in-band AAD. Comments and suggestions are welcome. Cheers, -Tiru & Hannes ---------- Forwarded message --------- From: <[email protected]<mailto:[email protected]>> Date: Mon, 3 Feb 2025 at 12:23 Subject: New Version Notification for draft-reddy-jose-detached-aad-00.txt To: Tirumaleswar Reddy.K <[email protected]<mailto:[email protected]>>, Hannes Tschofenig <[email protected]<mailto:[email protected]>> A new version of Internet-Draft draft-reddy-jose-detached-aad-00.txt has been successfully submitted by Tirumaleswar Reddy and posted to the IETF repository. Name: draft-reddy-jose-detached-aad Revision: 00 Title: Enhanced JWE Security with Detached Additional Authenticated Data (AAD) Date: 2025-02-03 Group: Individual Submission Pages: 9 URL: https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.txt Status: https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ HTML: https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-reddy-jose-detached-aad Abstract: This draft introduces a mechanism to support detached Additional Authenticated Data (AAD) in JWE (JSON Web Encryption), allowing the AAD to be derived from context-specific information, such as session identifiers, algorithm identifiers, and identifiers of communication endpoints, rather than being transmitted in-band. This mechanism strengthens security by mitigating risk against unknown-key-share attacks and/or other exploitation techniques that depend on some type of confusion over the role played by each party. The document explains how to integrate this functionality into JWE, covering both JWE JSON Serialization and JWE Compact Serialization. The IETF Secretariat
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
