IETF Logo Mail Archive

[jose] HTTP Request/Response using JWE with RSAES

Matt David <matt@netki.com> Tue, 19 July 2016 22:59 UTC

Return-Path: <matt@netki.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73EB512D0FE for <jose@ietfa.amsl.com>; Tue, 19 Jul 2016 15:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netki.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJC6RpAMtfKq for <jose@ietfa.amsl.com>; Tue, 19 Jul 2016 15:59:24 -0700 (PDT)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69A512D0EF for <jose@ietf.org>; Tue, 19 Jul 2016 15:59:24 -0700 (PDT)
Received: by mail-pa0-x22d.google.com with SMTP id ks6so11358783pab.0 for <jose@ietf.org>; Tue, 19 Jul 2016 15:59:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netki.com; s=google; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=+brV+ULEXw5FPpOPLvyoUnNZ1Z55t0Y68MnpcFFoUrQ=; b=h/CtlJ9T0jwiASCuLMMCuTu2nkdS++nfMFRX3hsKXKgAxrcSQsFbicPYqM76j/ReAL VUYd68Le+Sl+BP0hV4ZfovRd2mg1SSxni2ghJJfP8yQqCOrZvtwvUdLfyBal9P6oe7mn Yry7/+ixQnmYcSvVr5OybHfFbmlx8UMJ40R0M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=+brV+ULEXw5FPpOPLvyoUnNZ1Z55t0Y68MnpcFFoUrQ=; b=QZIkG/L98+4CwDgA4ti6TySnhVc/hYZmUdedwIJJ48puTY8sKcV+6dRPoqg0l0wNAJ m+JftEVzuLBi/HXqG5Sx7T47jqp8v4PEeGyLML0gLsFl3NcMQqbmvVDd5Vpe0VdtGml7 Wo/FXF2bMDuEA9dGzrkPsHsBsMeNvQMAp8YVvBSgH1+9/PX/b9X/RwF49F/+z4jvbV9h j/givhFfCTfz3UVNMjacC7WQNCVCaKb0ihyrAueS6qCxJqnCot7uALxnIKDfONy7cNNb TLmbfvLwU3R0njmfOo9FHldfJwS0Xx3mVym4bKGXPJjIg+93+8zrIl4RpEBGHgEqNHum lNNg==
X-Gm-Message-State: ALyK8tIHe0x+KITxIA0tAM+MF3Hx5yA2c0cCNIH2x4+8N6GT7im5DW7xqQKamJgETHDo/jxK
X-Received: by 10.66.160.199 with SMTP id xm7mr69187869pab.78.1468969164013; Tue, 19 Jul 2016 15:59:24 -0700 (PDT)
Received: from [10.0.1.9] (cpe-172-251-161-231.socal.res.rr.com. [172.251.161.231]) by smtp.gmail.com with ESMTPSA id tm1sm6980965pab.31.2016.07.19.15.59.22 for <jose@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 19 Jul 2016 15:59:22 -0700 (PDT)
From: Matt David <matt@netki.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <DAC087D1-B314-4383-9881-0ECED2769DF4@netki.com>
Date: Tue, 19 Jul 2016 15:59:21 -0700
To: jose@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/C9KRoRuEm3tjjCqkUC_ma4tHw-8>
Subject: [jose] HTTP Request/Response using JWE with RSAES
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2016 22:59:26 -0000

Hey all,

I'm working on a module for Flask that allows it to use JWE as a quick plugin. In my testing, I've run into a situation where I'm using RSAES (RSAES-OAEP, RSAES-1_5) and I want to return a JWS. It seems like there could be 2 ways of going about this, but I don't believe that the RFC addresses it:

1. RSAES one way, CEK-only on the way back
2. RSAES two way, with an EPK included on the originator's JWE sent to the remote end

I like #2 myself because it uses a fresh CEK for each part of the request / response.

It's possible I'm missing something in the RFC, but I'm still unable to find it after reading through it a few times, especially because EPK is specified only for use with ECDH-ES algorithms.

Best,

- Matt

v2.23.0 | Report a Bug | By Email