Required or recommended encryption algorithms #2
Comments
|
The many known-to-be-weak-or-compromised algos that are allowed is commonly cited as a weakness of JWT. I suggest we define a limited profile that are allowed in our use case. This is explicitly allowed by RFC 7519 in the steps for validating a JWT:
|
|
The way we've done this in the Verifiable Claims WG is to define cryptography suites for Linked Data Signatures/Proofs to make it easier on developers. So, a developer would pick something like "RsaSignature2018" or "RsaXYZEncryption2018" and the spec for the crypto suite would specify a number of parameters to use in the JWS. Example for a signature (which also applies to encryption) here: https://w3c.github.io/vc-data-model/#proofs-aka-signatures More on crypto suites here: |
|
Given that the proposal uses JWE, it seems best to use the "recommended+" algorithms from Section 4.1 of RFC 7518, such as RSA-OAEP for encryption of the Content Encryption Key (CEK) and ECDH-ES for encryption of the content itself. |
|
The sample from @MasterKeyur in https://github.com/w3c/webpayments-crypto/blob/master/payment-encryption.md uses RSA-OAEP for key exchange and AES-GCM for the content encryption. +1 to these as the initial set of supported algorithms in our JWE profile. |
|
I appreciate the feedback. The idea was this to be starting point for payment request encryption spec. +1 with limited algorithm that are reviewed by security specialist as well as that are performant. Also I did not use signatures specifically because we would need separate key pair for it. I did not use ECDH-ES for content encryption as it does not generate MAC. For key pair generation we can look at ECDH. |
The encryption proposal does not specific which JOSE encryption algorithms are required or recommended. A list of algorithms can be found at https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms ...
The text was updated successfully, but these errors were encountered: