decrypt
Registry Context
`decrypt` is a JWK `key_ops` value indicating that the key is intended to decrypt content and validate decryption, if applicable.
Technical Summary
RFC 7517 Section 4.3 defines `decrypt` as a case-sensitive key operation value. Duplicate operations are forbidden. Pairing `decrypt` with `encrypt` is permitted, while unrelated operation combinations SHOULD NOT be used.
When Used
Use in a JWK `key_ops` array when the key is intended for content decryption.
Normative Requirements
Applications
RFC 7517 - Section 4.3
Use key operation values other than those defined by RFC 7517..
Condition: when specifying a JWK `key_ops` array
Other values MAY be used.
RFC 7517 - Section 4.3
Include the `key_ops` member..
Condition: unless the application requires its presence
Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.
JWK producers
RFC 7517 - Section 4.3
Include duplicate key operation values in the `key_ops` array..
Condition: when specifying `key_ops`
Duplicate key operation values MUST NOT be present in the array.
RFC 7517 - Section 4.3
Ensure that the `use` and `key_ops` members convey consistent information..
Condition: if both members are used
if both are used, the information they convey MUST be consistent
RFC 7517 - Section 4.3
Specify multiple unrelated key operations for a key..
Condition: when populating `key_ops`
Multiple unrelated key operations SHOULD NOT be specified for a key
RFC 7517 - Section 4.3
Use the `use` and `key_ops` JWK members together..
The "use" and "key_ops" JWK members SHOULD NOT be used together
Validation Guidance
Compare `decrypt` case-sensitively; a differently cased value is not the RFC-defined `decrypt` operation.
Reject duplicate values in the `key_ops` array.
Warn when `decrypt` is combined with unrelated operations. The `encrypt` and `decrypt` combination is expressly permitted.
Warn when both `use` and `key_ops` are present.
Reject a JWK when `use` and `key_ops` convey inconsistent information.
Security Notes
RFC 7517 - Section 4.3
Multiple unrelated key operations SHOULD NOT be specified because using the same key with multiple algorithms can introduce vulnerabilities.
Reference
Details
- Entry Id
decrypt- Key Operation Value
decrypt- Key Operation Description
Decrypt content and validate decryption, if applicable- Change Controller
IESG- Reference
RFC7517 - Section 4.3