Re: [OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)

Filip Skokan <panva.ip@gmail.com> Fri, 26 July 2019 12:07 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAB3E120338 for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2019 05:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcC8K_S5TUbJ for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2019 05:07:06 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC3012032A for <OAuth@ietf.org>; Fri, 26 Jul 2019 05:07:06 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id g17so54196178wrr.5 for <OAuth@ietf.org>; Fri, 26 Jul 2019 05:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5GkqxTYkwPgnfDxCe49e1A0Ky3GtjzXF0nMMDdsRO+Y=; b=bWfRMM8Cqfi3BeQAF+3RxIr91vv/yPBcOrAUo/mlQUQpyis+7W0AtiEuwH19sffRYw D7jlqJX4mhnM8/iLK1ZZVXtqiAm2/HiroMgKNCES8QQAwh0nCHkDQ22NrkeamgfzqTZ6 dpk7ag1KrWLicU4tx5jUA54lHLpPbVmdP/6GxYwrocRx6eQToxXLufLIL7Az01ItaDsg ungBeXiV50Yq0v21z3v07ljMdfnCINbIHmDoTsqvQEsw1Desi56Lr0DZYoB2kT19WGgy Vn+M3j4x84Kz7WR5s931M1BlA4caT0auT3ezZeRiFFSipMUb8LjeMQXIdAp8NN5B2Ec8 5U1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5GkqxTYkwPgnfDxCe49e1A0Ky3GtjzXF0nMMDdsRO+Y=; b=OD6CbELJREK8CxV9Gji6Vkn9W+fSlJfgz72kPfRVVld1Y7CS8x6n6kxL9UtjBt7Lm7 gdJYNJ3B1O9vQw5LflCxryrTkSQIeCEpoWFzBHwKLeRJI11NhaGrB7fYOYrtq2vFlYc9 TBO8LGhwu3vwp4L1lXFjlrwWVnsyKGl9G5O8muZqBTG+RtPEVJklSBBEF7CO07E+RK5F VZXCAvQsHyuXAt4HkKvYeQpVdKgWk/6Pm3xwixMGuVkXkTUQHJTDrNjyXt6A1Ujk1xKQ q8K4L6AfYBmfJVbZDul2K0tgDZVzZuKPw1hbn3e299a/2eEXDDZQbpbMNoeKpf3GjRJc Je3g==
X-Gm-Message-State: APjAAAWvDFaMy2e8GDrwYgR4nk/fyhfLHEi8DQ5p64p+MF90HFeCjjXX AcdGbdgZzag0t5rEvMoQpO4ucX6Z0A==
X-Google-Smtp-Source: APXvYqy4kpj9nTLjXnCLE30stxLRJQoI3dRjZJ+N/z/cbEtJVDVuv9cHkR9kBuLZtop95GH9nBxmrw==
X-Received: by 2002:adf:fd08:: with SMTP id e8mr104946672wrr.147.1564142824850; Fri, 26 Jul 2019 05:07:04 -0700 (PDT)
Received: from [100.108.13.68] (ip-37-188-156-185.eurotel.cz. [37.188.156.185]) by smtp.gmail.com with ESMTPSA id u13sm61916029wrq.62.2019.07.26.05.07.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2019 05:07:04 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-FAF19800-7CA4-4168-84B9-F431DBA147A4
Mime-Version: 1.0 (1.0)
From: Filip Skokan <panva.ip@gmail.com>
X-Mailer: iPhone Mail (16F203)
In-Reply-To: <CA+k3eCRjBgen9SLXS=mt=qsj-OqEQ3ePNwcLT2wGpbX=iaqiDw@mail.gmail.com>
Date: Fri, 26 Jul 2019 14:07:02 +0200
Cc: =?utf-8?B?0KLQsNC90LPQuCDQm9C1INCf0LXQvdGB?= <tangui.lepense=40mail.ru@dmarc.ietf.org>, oauth <OAuth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <0CCE8B72-D140-4638-83B1-FB660D1D2239@gmail.com>
References: <3755f0ec-b9b3-a120-3aa5-5b8df1960dec@mail.ru> <CA+k3eCRjBgen9SLXS=mt=qsj-OqEQ3ePNwcLT2wGpbX=iaqiDw@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pNMHnuBeBgF5zlea0RkA4bcmhz0>
Subject: Re: [OAUTH-WG] Guidance for which key to use for JWE encryption? (draft-ietf-oauth-jwsreq-19)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 12:07:09 -0000

Any use:enc, without “use” or “key_ops” or keyops:encrypt/deriveKey that works with a supported algorithm, or one with the JWA “alg”. 

Odesláno z iPhonu

26. 7. 2019 v 14:01, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>;:

> I'd say this one->* any "enc" key published by the AS on its jwks_uri?
> 
>> On Thu, Jul 25, 2019 at 3:50 PM Танги Ле Пенс <tangui.lepense=40mail.ru@dmarc.ietf.org>; wrote:
>> Dear all,
>> 
>> draft-ietf-oauth-jwsreq-19 gives guidance on which key use to verify a 
>> JWS' signature (the client's key) 
>> (https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6.2).
>> 
>> However there no such guidance for JWE encryption:
>> 
>> * any "enc" key published by the AS on its jwks_uri?
>> 
>> * one specific key of the ones listed at the server's jwks_uri? If so, 
>> how to indicate which one in particular?
>> 
>> * out-of-band configuration?
>> 
>> And should it be part of the specification?
>> 
>> Regards,
>> 
>> -- 
>> 
>> Tangui
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth