Re: [OAUTH-WG] ECDH-1PU encryption algorithm

Neil Madden <> Mon, 10 August 2020 08:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C78C3A0DDC for <>; Mon, 10 Aug 2020 01:29:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id g5hY_CilVWJp for <>; Mon, 10 Aug 2020 01:28:59 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D2DBA3A1426 for <>; Mon, 10 Aug 2020 01:28:58 -0700 (PDT)
Received: by with SMTP id d190so6879584wmd.4 for <>; Mon, 10 Aug 2020 01:28:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:mime-version:subject:from:in-reply-to:cc :date:message-id:references:to; bh=R2veiZ4WZO4syfyOxtLkJl6Ivh0Hy3WfGZZ93RPJPyo=; b=WUGF+iA1UNDihxD+hscN6Q2GcmUaZptvdPRQXfmsJWLhgTtPvomyJC5T5HPuDib6Ad OLw8cKaH3su3eizSLL5ue1R1mvwCWAvmLBFnmfV/sc7Fy2hL6acxRNNXepDSRyQmXw4E hqpJ0nES5gbpVGJaiINpKGFpeKKhzxAsnA2Mc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:cc:date:message-id:references:to; bh=R2veiZ4WZO4syfyOxtLkJl6Ivh0Hy3WfGZZ93RPJPyo=; b=CGh3JNAKY9/vSbwwwKlD29hh7pOlEcVFvcvp9qzAljvIFDhKGKQVyVhH7qEUNOrig0 Ciqm7geFIQwV0+NmxcADRrIYC7F9RQn10XF3baXg3/Wv/YnkgMPHDRkA3WKRbaX60qPJ QibZ4WMb1S4v0Hseec1nYppxjoTubC8kuZWXP7p06s1khR1XWi+VBhOpewR3K32psgJo zXtOfETAG4maJ4obIAvfqgYmC6on8rpkZrNodkYOXhMf0WGEUvkuBDnQYloA5I3OT0oM bsIRUAMDyCTdH7HPig67dTFZXeTJuzZQRZRfEcz+x2bLqsw3Iz86TsrjITWRw3fbHp1V efmg==
X-Gm-Message-State: AOAM531dMirbhrvw/fm7AXrFF0Cux/ZlfwUfpY1AB6V1RELI2wPIOXdc XmGoMgMXiAWWM1SYPLnmiMPi5gHCV5E=
X-Google-Smtp-Source: ABdhPJwqUQtsUiSmXStwDAOJa6nNn7eGP8nmtWrICKHAZz0ik6mvU3Rx+wCzZrFuXPEZFhVkNHfBRQ==
X-Received: by 2002:a7b:c3d4:: with SMTP id t20mr23903620wmj.8.1597048136956; Mon, 10 Aug 2020 01:28:56 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id s20sm19597568wmh.21.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 10 Aug 2020 01:28:56 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Neil Madden <>
In-Reply-To: <>
Date: Mon, 10 Aug 2020 09:28:55 +0100
Message-Id: <>
References: <>
To: Vladimir Dzhuvinov <>
X-Mailer: iPhone Mail (17F80)
Archived-At: <>
Subject: Re: [OAUTH-WG] ECDH-1PU encryption algorithm
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Aug 2020 08:29:01 -0000

Thanks Vladimir,

Responses below

> On 8 Aug 2020, at 10:40, Vladimir Dzhuvinov <> wrote:
> Hi Neil,
> I definitely like the elegance of the proposed alg for JOSE, it provides
> something that isn't currently available in the various classes of algs
> made standard in JOSE.
> I also wanted to ask what's happening with AES SIV for JOSE, if there's
> traction / feedback / support there as well?

Thanks for bringing this up. I’ve not received much feedback about this one, and I haven’t been very good at pushing it. If there is interest then I’d certainly be interested in bringing this forward too. 

That draft might be a better fit for eg the COSE WG though, which could then also register identifiers for JOSE. What do you think?

> Vladimir
>>> On 05/08/2020 13:01, Neil Madden wrote:
>> Hi all,
>> You may remember me from such I-Ds
>> as, which
>> proposes adding a new encryption algorithm to JOSE. I’d like to
>> reserve a bit of time to discuss it at one of the upcoming interim
>> meetings.
>> The basic idea is that in many cases in OAuth and OIDC you want to
>> ensure both confidentiality and authenticity of some token - for
>> example when transferring an ID token containing PII to the client
>> through the front channel, or for access tokens intended to be handled
>> by a specific RS without online token introspection (such as the JWT
>> access token draft). If you have a shared secret key between the AS
>> and the client/RS then you can use symmetric authenticated encryption
>> (alg=dir or alg=A128KW etc). But if you need to use public key
>> cryptography then currently you are limited to a nested
>> signed-then-encrypted JOSE structure, which produces much larger token
>> sizes.
>> The draft adds a new “public key authenticated encryption” mode based
>> on ECDH in the NIST standard “one-pass unified” model. The primary
>> advantage for OAuth usage is that the tokens produced are more compact
>> compared to signing+encryption (~30% smaller for typical access/ID
>> token sizes in compact serialization). Performance-wise, it’s roughly
>> equivalent. I know that size concerns are often a limiting factor in
>> choosing whether to encrypt tokens, so this should help.
>> In terms of implementation, it’s essentially just a few extra lines of
>> code compared to an ECDH-ES implementation. (Some JOSE library APIs
>> might need an adjustment to accommodate the extra private key needed
>> for encryption/public key for decryption).
>> I’ve received a few emails off-list from people interested in using it
>> for non-OAuth use-cases such as secure messaging applications. I think
>> these use-cases can be accommodated without significant changes, so I
>> think the OAuth WG would be a good venue for advancing this.
>> I’d be interested to hear thoughts and discussion on the list prior to
>> any discussion at an interim meeting.
>> — Neil