[Openid-specs-fapi] Issue #391: text about encryption algorithms in part2 may need clarification (openid/fapi)
issues-reply at bitbucket.org
Tue Mar 9 17:36:56 UTC 2021
New issue 391: text about encryption algorithms in part2 may need clarification
Part 2 currently states:
For JWE, both clients and authorization servers
1. shall not use the `RSA1_5` algorithm.
[https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms) lists various encryption algorithms. I presume it’s probably implicit that you shouldn’t use an algorithm listed as prohibited there \(e.g. `A128CBC`\) but perhaps we should be more explicit? \(Originally brought to my attention by Ray Voss in the FDX Security WG.\)
I’m also not entirely clear that it’s in keeping to allow the use of symmetric keys \(`dir`\).
More information about the Openid-specs-fapi