[Openid-specs-ab] Issue #1870: consider changing iss/exp/aud to should omit or must omit when only encrypted (openid/connect)
josephheenan
issues-reply at bitbucket.org
Thu Mar 9 16:08:32 UTC 2023
New issue 1870: consider changing iss/exp/aud to should omit or must omit when only encrypted
https://bitbucket.org/openid/connect/issues/1870/consider-changing-iss-exp-aud-to-should
Joseph Heenan:
As per [https://bitbucket.org/openid/connect/pull-requests/478#comment-376512110](https://bitbucket.org/openid/connect/pull-requests/478#comment-376512110) VP spec currently says:
```
If the JWT is only a JWE, the following processing rules MUST be followed:
- `iss`, `exp` and `aud` MAY be omitted in the JWT Claims Set of the JWE, and if omitted the processing rules
as per [JARM] Section 4.3 related to these claims do not apply.
```
- if the JWE just contains json \(i.e. the encrypted but not signed case\) then iss/aud/exp are not integrity protected and should probably not ever be trusted, so I’m not sure there’s a case where they’re ever useful and hence we could just say they shouldn’t/mustn’t be used.
More information about the Openid-specs-ab
mailing list