oauth2.dev

deriveKey

IESG

Registry Context

`deriveKey` means that the key is intended to derive another key.

Technical Summary

`deriveKey` is a case-sensitive JWK key operation value defined by RFC 7517 for use in the `key_ops` array.

When Used

Use `deriveKey` in a JWK `key_ops` array to indicate that the key is intended for key derivation.

Normative Requirements

Unspecified actor

MUST NOT
1
  1. RFC 7517 - Section 4.3

    Include duplicate key operation values in the `key_ops` array..

    Duplicate key operation values MUST NOT be present in the array.

MUST
1
  1. RFC 7517 - Section 4.3

    Ensure that the information conveyed by `use` and `key_ops` is consistent..

    Condition: When both members are used.

    if both are used, the information they convey MUST be consistent.

SHOULD NOT
3
  1. RFC 7517 - Section 4.3

    Specify multiple unrelated key operations for a key..

    Multiple unrelated key operations SHOULD NOT be specified for a key.

  2. RFC 7517 - Section 4.3

    Use combinations of key operations other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`..

    Condition: When specifying multiple key operations for a key.

    other combinations SHOULD NOT be used.

  3. RFC 7517 - Section 4.3

    Use the `use` and `key_ops` JWK members together..

    The "use" and "key_ops" JWK members SHOULD NOT be used together.

MAY
1
  1. RFC 7517 - Section 4.3

    Use key operation values other than those defined by RFC 7517..

    Condition: When populating the `key_ops` array.

    Other values MAY be used.

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    Include the `key_ops` member in a JWK..

    Condition: Unless the application requires its presence.

    Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.

Validation Guidance

info

Allow key operation values other than those defined by RFC 7517.

error

Reject `key_ops` arrays containing duplicate values.

info

Allow omission of `key_ops` unless the application requires it.

warning

Warn when multiple unrelated key operations are assigned to one key.

warning

Warn when multiple operations use a combination other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`.

warning

Warn when `use` and `key_ops` are both present.

error

Fail validation when `use` and `key_ops` convey inconsistent information.

Security Notes

RFC 7517 - Section 4.3

Specifying multiple unrelated key operations can create vulnerabilities associated with using the same key with multiple algorithms.

Reference

Details

Entry Id
deriveKey
Key Operation Value
deriveKey
Key Operation Description
Derive key
Change Controller
IESG
Reference
RFC7517 - Section 4.3