Re: [OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)

Tangui Le Pense <tangui.lepense@mail.ru> Fri, 26 July 2019 13:36 UTC

Return-Path: <tangui.lepense@mail.ru>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A47120019 for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2019 06:36:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJYEegrxjH7y for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2019 06:36:19 -0700 (PDT)
Received: from smtp47.i.mail.ru (smtp47.i.mail.ru [94.100.177.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCAF912000F for <OAuth@ietf.org>; Fri, 26 Jul 2019 06:36:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.ru; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject; bh=J+0Ek7ZIJe0hAPxXdxMipeU1qrzN1VT5qHQhZJD3+kU=; b=J0H+lpdV+VYCJe3lCJJ74jb79Oi22HBqJGUj/xzl5EiuHOUBYrBvWg8/rx1BlhG1DCWXQfflz/F8XER34jas6cdSQrWb80vEKp3Kemq/qjdxPZUmJsEs6xsPk+mAUkg9VM0bpA9CF8lcvE9A2wfWy2YFnyjulAx04bFuyAe7biI=;
Received: by smtp47.i.mail.ru with esmtpa (envelope-from <tangui.lepense@mail.ru>) id 1hr0ON-0002pA-V0; Fri, 26 Jul 2019 16:36:16 +0300
To: Filip Skokan <panva.ip@gmail.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: =?UTF-8?B?0KLQsNC90LPQuCDQm9C1INCf0LXQvdGB?= <tangui.lepense=40mail.ru@dmarc.ietf.org>, oauth <OAuth@ietf.org>
References: <3755f0ec-b9b3-a120-3aa5-5b8df1960dec@mail.ru> <CA+k3eCRjBgen9SLXS=mt=qsj-OqEQ3ePNwcLT2wGpbX=iaqiDw@mail.gmail.com> <0CCE8B72-D140-4638-83B1-FB660D1D2239@gmail.com>
From: Tangui Le Pense <tangui.lepense@mail.ru>
Message-ID: <ee634d94-3fb3-088a-c87c-fb1d81883745@mail.ru>
Date: Fri, 26 Jul 2019 16:36:14 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <0CCE8B72-D140-4638-83B1-FB660D1D2239@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Authentication-Results: smtp47.i.mail.ru; auth=pass smtp.auth=tangui.lepense@mail.ru smtp.mailfrom=tangui.lepense@mail.ru
X-77F55803: 0014004E1F3277295A78504BD2AC2941C5305B8A749479D54003B903A109DA0C1A14E06CF3A38046765CBB971BACBDC9
X-7FA49CB5: 0D63561A33F958A512595353267EF330529E0A2EDC7ECA3431F42FF5ACC87A938941B15DA834481FA18204E546F3947C68E4D7E803FA7AD5F6B57BC7E64490618DEB871D839B7333395957E7521B51C2545D4CF71C94A83E9FA2833FD35BB23D27C277FBC8AE2E8BDBA3F3F673D6AB81A471835C12D1D977C4224003CC8364767815B9869FA544D8D32BA5DBAC0009BE9E8FC8737B5C2249AC37AC2B1429C73A76E601842F6C81A12EF20D2F80756B5F868A13BD56FB6657D81D268191BDAD3D78DA827A17800CE75C623DA9A0966939CD04E86FAF290E2DBBC930A3941E20C675ECD9A6C639B01B78DA827A17800CE7F42B85D3353DF1D46564932EFBC77E4B75ECD9A6C639B01B4E70A05D1297E1BBC6867C52282FAC85D9B7C4F32B44FF57285124B2A10EEC6C00306258E7E6ABB4E4A6367B16DE6309
X-Mailru-Sender: 14EA92FCC1671FFE5482AFB7953ED8E17EA2B9C9B7377FB8156835DC3AD38177D48EB18BE89C37CACA32051E784B72BD82C5FF2F5C0BFE3369E1CDCD713A0E3782281E5CC26A8A21A535606A78F2CC074D6D94805F93B69605CEE88C4A91FC465FEEDEB644C299C0ED14614B50AE0675
X-Mras: OK
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ar5iTwVCCBZKIv9t-Vlr5EKpjgs>
Subject: Re: [OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 13:36:22 -0000

Thanks for your answers.

Let me rephrase if you don't mind. Acceptable keys for decryption of a 
request object are those with:

    (use:enc or no use)

    AND

    (key_ops:encrypt or key_ops:deriveKey or no key_ops)

    AND

    (alg in request_object_encryption_alg_values_supported (from OpenID 
Connect discovery) or no alg)

Is that correct? I'm not sure I get the "keyops:encrypt/deriveKey that 
works with a supported algorithm" part.

Also, the draft doesn't mention metadata, ushc as those specified by 
OIDC Discovery. Should it?

Best regards,

-- 

Tangui

On 26.07.2019 15:07, Filip Skokan wrote:
> Any use:enc, without “use” or “key_ops” or keyops:encrypt/deriveKey 
> that works with a supported algorithm, or one with the JWA “alg”.
>
> Odesláno z iPhonu
>
> 26. 7. 2019 v 14:01, Brian Campbell 
> <bcampbell=40pingidentity.com@dmarc.ietf.org 
> <mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>>:
>
>> I'd say this one->* any "enc" key published by the AS on its jwks_uri?
>>
>> On Thu, Jul 25, 2019 at 3:50 PM Танги Ле Пенс 
>> <tangui.lepense=40mail.ru@dmarc.ietf.org 
>> <mailto:40mail.ru@dmarc.ietf.org>> wrote:
>>
>>     Dear all,
>>
>>     draft-ietf-oauth-jwsreq-19 gives guidance on which key use to
>>     verify a
>>     JWS' signature (the client's key)
>>     (https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6.2
>>     <https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6..2>).
>>
>>     However there no such guidance for JWE encryption:
>>
>>     * any "enc" key published by the AS on its jwks_uri?
>>
>>     * one specific key of the ones listed at the server's jwks_uri?
>>     If so,
>>     how to indicate which one in particular?
>>
>>     * out-of-band configuration?
>>
>>     And should it be part of the specification?
>>
>>     Regards,
>>
>>     -- 
>>
>>     Tangui
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
>> privileged material for the sole use of the intended recipient(s). 
>> Any review, use, distribution or disclosure by others is strictly 
>> prohibited..  If you have received this communication in error, 
>> please notify the sender immediately by e-mail and delete the message 
>> and any file attachments from your computer. Thank you./
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth