[OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)

Танги Ле Пенс <tangui.lepense@mail.ru> Thu, 25 July 2019 21:49 UTC

Return-Path: <tangui.lepense@mail.ru>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E75120294 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 14:49:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMGU6uxugBWT for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 14:49:12 -0700 (PDT)
Received: from smtp5.mail.ru (smtp5.mail.ru [94.100.179.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8525C120275 for <OAuth@ietf.org>; Thu, 25 Jul 2019 14:49:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=bno8eyLyqoksZZYUKZ+Cbk6Xb66kGrz7kARNTjd0N58=; b=uoHHyg2x/a/msJdHN1srSQwnB/0NU0twAniQgMm01AVFV8JcIgJRBuBGv+oGUgbMa9JdjxSWUfCdeU2jgVotZwphswol1DCI9r7Wn3unDjAwrCebipHKOB02EVKnAxAuR7LpD9+TzjJ+wPr3o6f+AHZ/Uu6GPBV4fpJMhguXcNY=;
Received: by smtp5.mail.ru with esmtpa (envelope-from <tangui.lepense@mail.ru>) id 1hqlbq-0007iH-2m for OAuth@ietf.org; Fri, 26 Jul 2019 00:49:10 +0300
To: oauth <OAuth@ietf.org>
From: =?UTF-8?B?0KLQsNC90LPQuCDQm9C1INCf0LXQvdGB?= <tangui.lepense@mail.ru>
Message-ID: <3755f0ec-b9b3-a120-3aa5-5b8df1960dec@mail.ru>
Date: Fri, 26 Jul 2019 00:49:08 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Authentication-Results: smtp5.mail.ru; auth=pass smtp.auth=tangui.lepense@mail.ru smtp.mailfrom=tangui.lepense@mail.ru
X-77F55803: 2D1AD755E866B1545A78504BD2AC294173B0C787F0EA2BA1AA33339763D3D7CEEAB2277AF3C63A436E550BA2D929ED76
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE74B8C64966C4792B6EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063741B82FC540CCF21E8638F802B75D45FF5571747095F342E8C7A0BC55FA0FE5FC242542CF178235601130166FD217AA53F706F8151E398A29389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C0B4190103C7DF69538941B15DA834481FCF19DD082D7633A0E7DDDDC251EA7DABA471835C12D1D977725E5C173C3A84C39CFA8CFAC159CE19117882F4460429728AD0CFFFB425014E40A5AABA2AD371193AA81AA40904B5D9A18204E546F3947CA306138418B4807C6E0066C2D8992A164AD6D5ED66289B52BA9C0B312567BB2376E601842F6C81A127C277FBC8AE2E8B9C86BE0A37E1E378D81D268191BDAD3DC74AC4170110C6EC35872C767BF85DA227C277FBC8AE2E8BC081E1E1FE214849EE3FE5A67DB4735935872C767BF85DA2F004C906525384306FED454B719173D6462275124DF8B9C9DE2850DD75B2526BE5BFE6E7EFDEDCD789D4C264860C145E
X-Mailru-Sender: 14EA92FCC1671FFE4D769571F75AF8D44BC19FFDAD63A5ABAA949C6FFB71676046D5F5DDF2E85CF7CA32051E784B72BD82C5FF2F5C0BFE3369E1CDCD713A0E3782281E5CC26A8A21A535606A78F2CC074D6D94805F93B69605CEE88C4A91FC465FEEDEB644C299C0ED14614B50AE0675
X-Mras: OK
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SFwTGqAdgC9tSJP_o5QEy-ZK8y0>
Subject: [OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 21:49:22 -0000

Dear all,

draft-ietf-oauth-jwsreq-19 gives guidance on which key use to verify a 
JWS' signature (the client's key) 
(https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6.2).

However there no such guidance for JWE encryption:

* any "enc" key published by the AS on its jwks_uri?

* one specific key of the ones listed at the server's jwks_uri? If so, 
how to indicate which one in particular?

* out-of-band configuration?

And should it be part of the specification?

Regards,

-- 

Tangui