Skip to content

Add encrypted JWPs #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 22, 2024
Merged

Add encrypted JWPs #136

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ea53c45
Add encrypted JWPs
selfissued Aug 7, 2024
00598da
Use JWP typ value as JWE cty value
selfissued Aug 9, 2024
9c53809
Use languege "the unencrypted JWP to be encrypted"
selfissued Aug 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 27 additions & 2 deletions draft-ietf-jose-json-web-proof.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,29 @@ This example flattened JSON serialization shows the presentation form with both
<{{./fixtures/build/bbs-holder.json.jwp.wrapped}}>
Figure: JSON Serialization of Presentation

# Encrypted JSON Web Proofs

Access to JWPs containing non-public material
by parties without legitimate access to the non-public information
MUST be prevented.
This can be accomplished by encrypting the JWP
when potentially observable by such parties
to prevent the disclosure of private information.
The use of an Encrypted JWP, which is a JWE [@!RFC7516]
with a JWP as its plaintext value,
is recommended for this purpose.
The processing of Encrypted JWPs is identical to
the processing of other JWEs.

A `cty` (content type) Header Parameter value of `jwp` is used to indicate
that the content of the JWE is a JWP using the JWP Compact Serialization.
A `cty` (content type) Header Parameter value of `jwp+json` is used to indicate
that the content of the JWE is the UTF-8 encoding of a JWP using the JWP JSON Serialization.
In both cases, the `cty` (content type) Header Parameter MUST be present
unless the application knows that the encrypted content is
a JWP by another means or convention,
in which case the `cty` value would typically be omitted.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These seem like they should be identical to the guidance in JWP around typ - if present, they SHOULD be the effective media type of the contained JWP. This MAY be in the JWP as the typ protected header parameter, or omitted from the JWP based on context.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would need to define two new "typ" values saying that the whole thing is an encrypted JWT using one or the other serializations if we were to go that route. But it would be better to use application-defined "typ" values using the +jwp suffix and/or application-defined "typ" values using the JSON Serialization.

Instead, the encryption treatment is intentionally exactly the same as for JWKs. Compare the language in this PR with that at https://www.rfc-editor.org/rfc/rfc7517.html#section-7 and let me know if there are changes you'd like to make it even more paralle.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wait - I get it now. Now that we have explicit typing, we should use the "typ" value of the enclosed JWP as the JWE "cty" value. I'll take a stab at that.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dwaite I updated the description to cater to explicit typing. Please re-review.


# Security Considerations {#SecurityConsiderations}

Notes to be expanded:
Expand Down Expand Up @@ -657,7 +680,8 @@ This section registers the `+jwp`
structured syntax suffix [@RFC6838]
in the IANA "Structured Syntax Suffix" registry (#IANA.StructuredSuffix)
in the manner described in [@RFC6838],
which can be used to indicate that the media type is encoded as a JWP.
which can be used to indicate that the media type is encoded as a JWP
using the JWP Compact Serialization.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


#### The +jwp Structured Syntax Suffix

Expand Down Expand Up @@ -767,7 +791,8 @@ for his valuable contributions to this specification.

[[ To be removed from the final specification ]]

* Update reference to new repository home
* Update reference to new repository home.
* Fixed #83: Added encrypted JWPs.

-05

Expand Down
Loading