Re: [jose] Question on enc location

Mike Jones <> Tue, 23 July 2013 15:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 140CD11E8293 for <>; Tue, 23 Jul 2013 08:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.098
X-Spam-Status: No, score=-4.098 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dN9cH5D8YMkM for <>; Tue, 23 Jul 2013 08:29:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 31B9D11E812E for <>; Tue, 23 Jul 2013 08:29:12 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server id; Tue, 23 Jul 2013 15:29:11 +0000
Received: from mail213-ch1 (localhost []) by (Postfix) with ESMTP id 530833000F7; Tue, 23 Jul 2013 15:29:11 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:; KIP:(null); UIP:(null); IPV:NLI;;; EFVD:NLI
X-SpamScore: -21
X-BigFish: VS-21(zz98dI9371Ic85fhzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1d7338h1de098h1033IL17326ah18c673h1de097h1de096h8275bh8275dhdda1eiz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail213-ch1: domain of designates as permitted sender) client-ip=;; ; ;
Received: from mail213-ch1 (localhost.localdomain []) by mail213-ch1 (MessageSwitch) id 1374593348624082_4740; Tue, 23 Jul 2013 15:29:08 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTP id 89F864004B; Tue, 23 Jul 2013 15:29:08 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 23 Jul 2013 15:29:07 +0000
Received: from ([]) by ([]) with mapi id 14.03.0136.001; Tue, 23 Jul 2013 15:29:05 +0000
From: Mike Jones <>
To: Jim Schaad <>, 'Richard Barnes' <>
Thread-Topic: [jose] Question on enc location
Thread-Index: Ac6HM7oJ9KwXoeAcSzSJtgQcSJVj8gABB71gABkzjYAAAKv1gAAGTAVg
Date: Tue, 23 Jul 2013 15:29:05 +0000
Message-ID: <>
References: <05a101ce8733$d96415e0$8c2c41a0$> <> <> <05fd01ce879f$581712a0$084537e0$>
In-Reply-To: <05fd01ce879f$581712a0$084537e0$>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B702C5ETK5EX14MBXC284r_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [jose] Question on enc location
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jul 2013 15:29:41 -0000

For the first, no - it's missing the required "recipients" element.

For the second, no - the "recipients" value is missing the required "encrypted_key" value.

Answering Richard's comment - I expect that in most cases people will put elements such as "enc" that are common between all recipients in either the "protected" or "unprotected" top-level headers, but this isn't a requirement.  In the worst case, should a sender use different "enc" values for different recipients, the result will be that the JWE will fail to decrypt for all the recipients in which the "enc" value is incorrect.

                                                            -- Mike

From: Jim Schaad []
Sent: Tuesday, July 23, 2013 5:23 AM
To: 'Richard Barnes'; Mike Jones
Subject: RE: [jose] Question on enc location

As a follow up.   Is this legal?

  Header: <alg:"direct", enc:"AES-GCM"},
  IV: ..., tag:..., payload:...

Or is the line



From: Richard Barnes []
Sent: Tuesday, July 23, 2013 5:04 AM
To: Mike Jones
Cc: Jim Schaad;<>
Subject: Re: [jose] Question on enc location

In which case, it seems like it should be in the top level header, to avoid having it repeated every time.

In general, it seems like there are "content" parameters (e.g., enc, zip, cty) that should go at the top level, and "key" parameters that should be per-recipient (e.g., alg, epk, salt).  It would be helpful to implementors to be clear about what goes where.

On Monday, July 22, 2013, Mike Jones wrote:
No - just that the "enc" field for all recipients be the same.

From:<javascript:_e(%7b%7d,%20'cvml',%20'');> [<javascript:_e(%7b%7d,%20'cvml',%20'');>] On Behalf Of Jim Schaad
Sent: Monday, July 22, 2013 4:33 PM
Subject: [jose] Question on enc location

Is there supposed to be a requirement in the JWE specification that the enc field be in the common protected (or unprotected) header and no in the individual recipient header information?