I'm fine updating the draft to say that the symmetric key can be carried in the
"jwk" element in an unencrypted form if the JWT is itself encrypted. That's
what you're looking for, right?
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of John Bradley
Sent: Thursday, July 30, 2015 11:29 AM
To: Brian Campbell <[email protected]>
Cc: oauth <[email protected]>
Subject: Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re:
proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)
Yes encrypting the claim should only be required when the entire JWT is not
encrypted. I will have a look.
John B.
On Jul 30, 2015, at 3:12 PM, Brian Campbell
<[email protected]<mailto:[email protected]>> wrote:
I raised the below question during the WGLC back in March but never got any
response.
JWE does add nontrivial size overhead to the message and in the case that a JWT
containing a symmetric confirmation key is already a JWE, the spec would seem
to require two layers of encryption and the associated over overhead that comes
with it - even though the key is already encrypted by the outer JWE layer.
I believe the draft should speak to how a symmetric key be represented as a
claim in the clear when the encryption of it is provided the JWE/JWT that
contains it.
On Mon, Mar 23, 2015 at 12:40 AM, Brian Campbell
<[email protected]<mailto:[email protected]>> wrote:
When the JWT is itself encrypted as a JWE, would it not be reasonable to have a
symmetric key be represented in the cnf claim with the jwk member as an
unencrypted JSON Web Key?
Is such a possibility left as an exercise to the reader? Or should it be more
explicitly allowed or disallowed?
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
