Closed justinruggles closed 9 months ago
Can you describe your use-case in a little more detail?
This is secure:
k4.lid.xxxxxxx
) in the footerk4.local-wrap.pie.xxxxxx
) in the footer
k3.seal.
) are also safe.This is insecure:
k4.public.xxxxx
)
For prior art on combining PASERK and PASETO, see
basically it's not clear to me whether it's an intended or appropriate use to put the id of the kek in kid
rather than an id for the full wrapped key. So the footer would have kid
and wpk
, where kid
would refer to the kek rather than the wrapped key.
It's unclear to me whether the id of the wrapping key (kek) should be signalled out-of-band or as the kid claim in the token.