oauth2.dev

Ed448

IESG

Registry Context

Ed448 identifies Ed448 signature key pairs represented as OKP JWKs and used with EdDSA. It must not be used for ECDH-ES.

Technical Summary

RFC 8037 defines Ed448 as an OKP key subtype for the EdDSA signature algorithm. An Ed448 JWK follows the OKP parameter requirements, and the subtype MUST NOT be used for ECDH-ES.

When Used

When representing an Ed448 public or private key as a JWK for EdDSA signatures.

Normative Requirements

An Ed448 JWK

MUST
3
  1. RFC 8037 - Section 2

    set the kty parameter to "OKP".

    The parameter "kty" MUST be "OKP".

  2. RFC 8037 - Section 2

    include the crv parameter with the registered key subtype.

    The parameter "crv" MUST be present and contain the subtype of the key.

  3. RFC 8037 - Section 2

    include the x parameter containing the base64url-encoded public key.

    The parameter "x" MUST be present and contain the public key encoded using the base64url encoding.

An Ed448 private JWK

MUST
1
  1. RFC 8037 - Section 2

    include the d parameter containing the base64url-encoded private key.

    Condition: When the JWK contains a private key

    The parameter "d" MUST be present for private keys and contain the private key encoded using the base64url encoding.

An Ed448 public JWK

MUST NOT
1
  1. RFC 8037 - Section 2

    include the d parameter.

    Condition: When the JWK contains only a public key

    This parameter MUST NOT be present for public keys.

An implementation performing Ed448 key generation or batch signature verification

REQUIRED
1
  1. RFC 8037 - Section 4

    use a well-seeded cryptographic random number generator.

    Condition: When performing key generation or batch signature verification

    If key generation or batch signature verification is performed, a well-seeded cryptographic random number generator is REQUIRED.

The Ed448 key subtype

MUST NOT
1
  1. RFC 8037 - Section 3.1

    be used for Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES).

    These subtypes MUST NOT be used for Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES).

Validation Guidance

error

Reject an Ed448 JWK unless kty is "OKP".

error

Reject an Ed448 JWK that omits crv or whose crv value does not identify its registered key subtype.

error

Reject an Ed448 JWK that omits x or whose x value is not a base64url-encoded public key.

error

Require a base64url-encoded d parameter for an Ed448 private JWK, and reject d in an Ed448 public JWK.

error

Reject use of the Ed448 subtype with ECDH-ES.

info

Use EdDSA as the signing algorithm for Ed448 keys.

error

Ensure a well-seeded cryptographic random number generator is used for Ed448 key generation or batch signature verification.

Security Notes

RFC 8037 - Section 4

Keep key material associated with its key subtype and verify algorithm compatibility; mixing incompatible algorithms can enable attacks.

RFC 8037 - Section 4

Ed448 signatures bind the signing key, but implementations must not assume that all signature algorithms provide this property.

Reference

Details

Entry Id
Ed448
Curve Name
Ed448
Curve Description
Ed448 signature algorithm key pairs
Jose Implementation Requirements
Optional
Change Controller
IESG
Reference
RFC8037 - Section 3.1