Re: [jose] Question on enc location

"Jim Schaad" <> Tue, 23 July 2013 12:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8E8B711E8105 for <>; Tue, 23 Jul 2013 05:23:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NL-ACB4KERnU for <>; Tue, 23 Jul 2013 05:23:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AD38321F9D8D for <>; Tue, 23 Jul 2013 05:23:52 -0700 (PDT)
Received: from Philemon ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id A40752CA39; Tue, 23 Jul 2013 05:23:50 -0700 (PDT)
From: Jim Schaad <>
To: 'Richard Barnes' <>, 'Mike Jones' <>
References: <05a101ce8733$d96415e0$8c2c41a0$> <> <>
In-Reply-To: <>
Date: Tue, 23 Jul 2013 05:22:47 -0700
Message-ID: <05fd01ce879f$581712a0$084537e0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_05FE_01CE8764.ABD167F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHQTpdhMabkoa5v2EltdYDF5I7dAAGP8XVaAsDOTjuZTBsWgA==
Content-Language: en-us
Subject: Re: [jose] Question on enc location
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jul 2013 12:23:58 -0000

As a follow up.   Is this legal?



  Header: <alg:"direct", enc:"AES-GCM"},

  IV: ., tag:., payload:.



Or is the line






From: Richard Barnes [] 
Sent: Tuesday, July 23, 2013 5:04 AM
To: Mike Jones
Cc: Jim Schaad;
Subject: Re: [jose] Question on enc location


In which case, it seems like it should be in the top level header, to avoid
having it repeated every time. 


In general, it seems like there are "content" parameters (e.g., enc, zip,
cty) that should go at the top level, and "key" parameters that should be
per-recipient (e.g., alg, epk, salt).  It would be helpful to implementors
to be clear about what goes where. 


On Monday, July 22, 2013, Mike Jones wrote:

No - just that the "enc" field for all recipients be the same.


<javascript:_e(%7b%7d,%20'cvml',%20'');> ] On Behalf Of
Jim Schaad
Sent: Monday, July 22, 2013 4:33 PM
To: <javascript:_e(%7b%7d,%20'cvml',%20'');> 
Subject: [jose] Question on enc location


Is there supposed to be a requirement in the JWE specification that the enc
field be in the common protected (or unprotected) header and no in the
individual recipient header information?