Re: [OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)

Fri, 26 Jul 2019 06:36:55 -0700 

Thanks for your answers.
Let me rephrase if you don't mind. Acceptable keys for decryption of a request object are those with: 

   (use:enc or no use)

   AND

   (key_ops:encrypt or key_ops:deriveKey or no key_ops)

   AND


   (alg in request_object_encryption_alg_values_supported (from OpenID 
Connect discovery) or no alg)



Is that correct? I'm not sure I get the "keyops:encrypt/deriveKey that 
works with a supported algorithm" part.



Also, the draft doesn't mention metadata, ushc as those specified by 
OIDC Discovery. Should it?


Best regards,

--

Tangui

On 26.07.2019 15:07, Filip Skokan wrote:

Any use:enc, without “use” or “key_ops” or keyops:encrypt/deriveKey 
that works with a supported algorithm, or one with the JWA “alg”.


Odesláno z iPhonu


26. 7. 2019 v 14:01, Brian Campbell 
<[email protected] 
<mailto:[email protected]>>:



I'd say this one->* any "enc" key published by the AS on its jwks_uri?


On Thu, Jul 25, 2019 at 3:50 PM Танги Ле Пенс 
<[email protected] 
<mailto:[email protected]>> wrote:


    Dear all,

    draft-ietf-oauth-jwsreq-19 gives guidance on which key use to
    verify a
    JWS' signature (the client's key)
    (https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6.2
    <https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6..2>).

    However there no such guidance for JWE encryption:

    * any "enc" key published by the AS on its jwks_uri?

    * one specific key of the ones listed at the server's jwks_uri?
    If so,
    how to indicate which one in particular?

    * out-of-band configuration?

    And should it be part of the specification?

    Regards,


    -- 


    Tangui

    _______________________________________________
    OAuth mailing list
    [email protected] <mailto:[email protected]>
    https://www.ietf.org/mailman/listinfo/oauth



/CONFIDENTIALITY NOTICE: This email may contain confidential and 
privileged material for the sole use of the intended recipient(s). 
Any review, use, distribution or disclosure by others is strictly 
prohibited..  If you have received this communication in error, 
please notify the sender immediately by e-mail and delete the message 
and any file attachments from your computer. Thank you./

_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to