Part 2 should limit allowed JWE algorithms
The current spec says:
JWS algorithm considerations
Both clients and authorisation servers:
shall use PS256 or ES256 algorithms; should not use algorithms that use RSASSA-PKCS1-v1_5 (e.g. RS256); shall not use none;
I think it's an oversight that this says "JWS" at the start. I think It was intended to cover JWE too. Simplest fix is to tweak the section title to say "JWS/JWE considerations".
Comments (9)
-
reporter -
I've always read it to include, JWS,JWE - annoying and good spot Luke.
-
Currently the FAPI specs and text cited only discus JWS algorithms though so just adding JWE to the title would be kinda erroneous (i.e.
PS256
,ES256
,RS256
andnone
are all JWS algs: https://tools.ietf.org/html/rfc7518#section-3.1).It might be a good idea for FAPI to provide some guidance/considerations on JWE but there's more too it than just adding the JWE acronym. Saying not to use
RSA1_5
is most likely what FAPI should do and is maybe all that's needed. But there are a lot of JWE 'Key Management' algorithms https://tools.ietf.org/html/rfc7518#section-4.1 and a few JWE 'Content Encryption' algorithms https://tools.ietf.org/html/rfc7518#section-5.1 about which guidance could be given. -
-
assigned issue to
-
assigned issue to
-
reporter Opened a pull request based on Brian’s ‘most likely what FAPI should do’ suggestion (thanks Brian!):
https://bitbucket.org/openid/fapi/pull-requests/116/fapi-rw-add-requirements-on-jwe/diff
-
reporter - changed status to closed
FAPI-CIBA & FAPI-RW: Add requirements on JWE
It was always intended that PKCS1 is not used, now the standard actually says this.
It may be desireable for FAPI to go further than this, but everyone is agreed that we want at least this.
As per suggestion from Brian Campbell on the issue.
The way I've added a subsection for encryption is perhaps a little odd. It's an attempt to preserve numbering whilst also not making it awkward to add further JWS restrictions in the future.
closes
#208→ <<cset aeb0d88dd674>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
(This was spotted/reported by Luke Popplewell)