Re: Encryption beyond ws-security: JWE, encrypted content-coding, CMS or else

Anders Rundgren <> Tue, 29 September 2020 16:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DC85E3A0EFB for <>; Tue, 29 Sep 2020 09:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.962
X-Spam-Status: No, score=-2.962 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.213, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mZEkWKrsZ8ZX for <>; Tue, 29 Sep 2020 09:44:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 558E43A0A35 for <>; Tue, 29 Sep 2020 09:44:34 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1kNIhS-0000MT-1H for; Tue, 29 Sep 2020 16:41:58 +0000
Resent-Date: Tue, 29 Sep 2020 16:41:58 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1kNIhN-0000Lc-Oi for; Tue, 29 Sep 2020 16:41:53 +0000
Received: from ([2a00:1450:4864:20::434]) by with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <>) id 1kNIhM-0001Ru-9I for; Tue, 29 Sep 2020 16:41:53 +0000
Received: by with SMTP id k10so6167351wru.6 for <>; Tue, 29 Sep 2020 09:41:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=qRF/JxWBUStMPzjp/1HxnQT9ypLhscmSnv2AP/V4/SU=; b=FDePv8AfYUJ5x3ASkS6VEMXP5nSq2mLFF+c68Jl0ttZWbzHKrRFan2tc9+7vscOFO+ HywPs3QfNoOSDsb6LC+odtwBSJoX6sAFVucSuPO60hEynC7LfUPbMGProbGuLUoY38dp cHmUvXe3xwogHp7I6OdRDd5iyKPe+snAS2vntA6w/PcK4kCppL7CTjPOdH28a5VsMVDz WAynDUn9tIjyWfSnegsQMirC/qr/2wOb3zvH3wdrom7OoIQk68k0qb+9NidY1F73GCRJ 1PSEoWEyPJp27bwOwZ4YKy2RafIMNARpPuhLTl/eIu7hYRt64mp4Lf2oP1TL8yKiQGRk w6Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=qRF/JxWBUStMPzjp/1HxnQT9ypLhscmSnv2AP/V4/SU=; b=XaNpQA4NERnGF00Xe2QnpxChMuMvEyy6nFFGSgOtpSYbpEa8cC7TIblvGMnJFZfwaD rD2I80y2THr9yQqSFphFSJUlh5OwqyPmMjktJaCqaSAjRm/EMb0/JMyi14f1jveYvOl9 5+pz+Ai9Dsmou6tbc1dJMcy1No8PpFZCx2iou1AMDUr8evxbZAlNXuTElyJnfTHD71Rk XF5MWEGr39QkvBkBBmAjHeFM4h6efkEsrRwW10YVpp0Z0C3L44wPfPRbWiqg1s/p1e7B HYOXhDRKH0GaSJuLDc/uvOykDH6Lz4iyiI+jdEge327JVGm3y8zj5/JHUjN3w6Drp2RY dFLQ==
X-Gm-Message-State: AOAM533JbLJQF5wZv3+O3KFpvAQGfPw9Wy27JTUsXW8WbDoLUU/ciw9V pRCbSg3Vtm7JMsb7RfVBwbE=
X-Google-Smtp-Source: ABdhPJy1J0BGzUAV88JlfxCss3AfaEV5jYcO2FuraYoB1aaC1uM9DGpNuB2S0Ufa9xGS3pwHyPJ4RQ==
X-Received: by 2002:adf:e690:: with SMTP id r16mr5237167wrm.15.1601397700803; Tue, 29 Sep 2020 09:41:40 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id n3sm6290220wmn.28.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 29 Sep 2020 09:41:39 -0700 (PDT)
To: Roberto Polli <>, HTTP Working Group <>
References: <>
From: Anders Rundgren <>
Message-ID: <>
Date: Tue, 29 Sep 2020 18:41:38 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2a00:1450:4864:20::434;;
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1kNIhM-0001Ru-9I 481f0f5e74096b9e6513e95ea0f5dd8a
Subject: Re: Encryption beyond ws-security: JWE, encrypted content-coding, CMS or else
Archived-At: <>
X-Mailing-List: <> archive/latest/38068
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 2020-09-29 17:57, Roberto Polli wrote:
> Hi @all,
> I'm trying to find a suitable way to replace ws-* for encrypting
> payload bodies with some other specification more suitable to a REST
> approach.
> It seems that the enterprise industry is still fond of JWE - but  I'd
> avoid it if I can, considering that a good library like google/tink is
> not going to implement it
> moreover the specs
> Leveraging the content-coding feature of HTTP, there's rfc8188 which
> seems interesting: still I don't know how many implementers are in the
> wild. Don't know if that mechanism can be extended to PKI encryption.
> Another solution could be CMS / S-mime.
> What do you think/use/suggest?

I believe the use cases for encrypting an entire payload are pretty few,
and probably already implemented in applications like communication
software and copy protected media streaming.

FWIW, I'm working on alternatives to JWS and JWE that are based on
the recently published RFC 8785.  They are targeted at "information-
centric systems" using JSON, like Open Banking.


> Thanks and regards,
> R.