deriveKey
Registry Context
`deriveKey` means that the key is intended to derive another key.
Technical Summary
`deriveKey` is a case-sensitive JWK key operation value defined by RFC 7517 for use in the `key_ops` array.
When Used
Use `deriveKey` in a JWK `key_ops` array to indicate that the key is intended for key derivation.
Normative Requirements
Unspecified actor
RFC 7517 - Section 4.3
Include duplicate key operation values in the `key_ops` array..
Duplicate key operation values MUST NOT be present in the array.
RFC 7517 - Section 4.3
Ensure that the information conveyed by `use` and `key_ops` is consistent..
Condition: When both members are used.
if both are used, the information they convey MUST be consistent.
RFC 7517 - Section 4.3
Specify multiple unrelated key operations for a key..
Multiple unrelated key operations SHOULD NOT be specified for a key.
RFC 7517 - Section 4.3
Use combinations of key operations other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`..
Condition: When specifying multiple key operations for a key.
other combinations SHOULD NOT be used.
RFC 7517 - Section 4.3
Use the `use` and `key_ops` JWK members together..
The "use" and "key_ops" JWK members SHOULD NOT be used together.
RFC 7517 - Section 4.3
Use key operation values other than those defined by RFC 7517..
Condition: When populating the `key_ops` array.
Other values MAY be used.
RFC 7517 - Section 4.3
Include the `key_ops` member in a JWK..
Condition: Unless the application requires its presence.
Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.
Validation Guidance
Allow key operation values other than those defined by RFC 7517.
Reject `key_ops` arrays containing duplicate values.
Allow omission of `key_ops` unless the application requires it.
Warn when multiple unrelated key operations are assigned to one key.
Warn when multiple operations use a combination other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`.
Warn when `use` and `key_ops` are both present.
Fail validation when `use` and `key_ops` convey inconsistent information.
Security Notes
RFC 7517 - Section 4.3
Specifying multiple unrelated key operations can create vulnerabilities associated with using the same key with multiple algorithms.
Reference
Details
- Entry Id
deriveKey- Key Operation Value
deriveKey- Key Operation Description
Derive key- Change Controller
IESG- Reference
RFC7517 - Section 4.3