[Openid-specs-fapi] Issue #391: text about encryption algorithms in part2 may need clarification (openid/fapi)

josephheenan issues-reply at bitbucket.org
Tue Mar 9 17:36:56 UTC 2021


New issue 391: text about encryption algorithms in part2 may need clarification
https://bitbucket.org/openid/fapi/issues/391/text-about-encryption-algorithms-in-part2

Joseph Heenan:

Part 2 currently states:

---

For JWE, both clients and authorization servers

1. shall not use the `RSA1_5` algorithm.

---

[https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms) lists various encryption algorithms. I presume it’s probably implicit that you shouldn’t use an algorithm listed as prohibited there \(e.g. `A128CBC`\) but perhaps we should be more explicit? \(Originally brought to my attention by Ray Voss in the FDX Security WG.\)

I’m also not entirely clear that it’s in keeping to allow the use of symmetric keys \(`dir`\).

‌




More information about the Openid-specs-fapi mailing list