oauth2.dev

decrypt

IESG

Registry Context

`decrypt` is a JWK `key_ops` value indicating that the key is intended to decrypt content and validate decryption, if applicable.

Technical Summary

RFC 7517 Section 4.3 defines `decrypt` as a case-sensitive key operation value. Duplicate operations are forbidden. Pairing `decrypt` with `encrypt` is permitted, while unrelated operation combinations SHOULD NOT be used.

When Used

Use in a JWK `key_ops` array when the key is intended for content decryption.

Normative Requirements

Applications

MAY
1
  1. RFC 7517 - Section 4.3

    Use key operation values other than those defined by RFC 7517..

    Condition: when specifying a JWK `key_ops` array

    Other values MAY be used.

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    Include the `key_ops` member..

    Condition: unless the application requires its presence

    Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.

JWK producers

MUST NOT
1
  1. RFC 7517 - Section 4.3

    Include duplicate key operation values in the `key_ops` array..

    Condition: when specifying `key_ops`

    Duplicate key operation values MUST NOT be present in the array.

MUST
1
  1. RFC 7517 - Section 4.3

    Ensure that the `use` and `key_ops` members convey consistent information..

    Condition: if both members are used

    if both are used, the information they convey MUST be consistent

SHOULD NOT
2
  1. RFC 7517 - Section 4.3

    Specify multiple unrelated key operations for a key..

    Condition: when populating `key_ops`

    Multiple unrelated key operations SHOULD NOT be specified for a key

  2. RFC 7517 - Section 4.3

    Use the `use` and `key_ops` JWK members together..

    The "use" and "key_ops" JWK members SHOULD NOT be used together

Validation Guidance

error

Compare `decrypt` case-sensitively; a differently cased value is not the RFC-defined `decrypt` operation.

error

Reject duplicate values in the `key_ops` array.

warning

Warn when `decrypt` is combined with unrelated operations. The `encrypt` and `decrypt` combination is expressly permitted.

warning

Warn when both `use` and `key_ops` are present.

error

Reject a JWK when `use` and `key_ops` convey inconsistent information.

Security Notes

RFC 7517 - Section 4.3

Multiple unrelated key operations SHOULD NOT be specified because using the same key with multiple algorithms can introduce vulnerabilities.

Reference

Details

Entry Id
decrypt
Key Operation Value
decrypt
Key Operation Description
Decrypt content and validate decryption, if applicable
Change Controller
IESG
Reference
RFC7517 - Section 4.3