Open stpeter opened 6 years ago
The many known-to-be-weak-or-compromised algos that are allowed is commonly cited as a weakness of JWT. I suggest we define a limited profile that are allowed in our use case.
This is explicitly allowed by RFC 7519 in the steps for validating a JWT:
- Verify that the resulting JOSE Header includes only parameters and values whose syntax and semantics are both understood and supported or that are specified as being ignored when not understood.
The way we've done this in the Verifiable Claims WG is to define cryptography suites for Linked Data Signatures/Proofs to make it easier on developers. So, a developer would pick something like "RsaSignature2018" or "RsaXYZEncryption2018" and the spec for the crypto suite would specify a number of parameters to use in the JWS. Example for a signature (which also applies to encryption) here: https://w3c.github.io/vc-data-model/#proofs-aka-signatures
More on crypto suites here:
Given that the proposal uses JWE, it seems best to use the "recommended+" algorithms from Section 4.1 of RFC 7518, such as RSA-OAEP for encryption of the Content Encryption Key (CEK) and ECDH-ES for encryption of the content itself.
The sample from @MasterKeyur in https://github.com/w3c/webpayments-crypto/blob/master/payment-encryption.md uses RSA-OAEP for key exchange and AES-GCM for the content encryption.
+1 to these as the initial set of supported algorithms in our JWE profile.
I appreciate the feedback. The idea was this to be starting point for payment request encryption spec. +1 with limited algorithm that are reviewed by security specialist as well as that are performant.
Also I did not use signatures specifically because we would need separate key pair for it.
I did not use ECDH-ES for content encryption as it does not generate MAC. For key pair generation we can look at ECDH.
The encryption proposal does not specific which JOSE encryption algorithms are required or recommended. A list of algorithms can be found at https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms ...