encrypt
Registry Context
`encrypt` indicates that a JWK is intended to encrypt content.
Technical Summary
RFC 7517 Section 4.3 defines `encrypt` as a case-sensitive value in the `key_ops` array. Duplicate values are prohibited, unrelated operation combinations are discouraged, and `key_ops` must be consistent with `use` when both members are present.
When Used
When identifying a JWK as intended for content encryption.
Normative Requirements
JWK producers
RFC 7517 - Section 4.3
Include duplicate key operation values in the `key_ops` array..
Condition: When constructing a `key_ops` array, including one containing `encrypt`.
Duplicate key operation values MUST NOT be present in the array.
RFC 7517 - Section 4.3
Specify multiple unrelated key operations for one key..
Condition: When defining a key's operations, including `encrypt`.
Multiple unrelated key operations SHOULD NOT be specified for a key
RFC 7517 - Section 4.3
Combine `encrypt` with operations other than its related `decrypt` operation..
Condition: When specifying multiple operations in `key_ops`.
"encrypt" with "decrypt" ... [is] permitted, but other combinations SHOULD NOT be used.
RFC 7517 - Section 4.3
Use the `use` and `key_ops` members together..
Condition: When describing a JWK's intended use or operations.
The "use" and "key_ops" JWK members SHOULD NOT be used together
RFC 7517 - Section 4.3
Include the `key_ops` member..
Condition: Unless the application requires its presence.
Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.
JWK producers and processors
RFC 7517 - Section 4.3
Ensure that `use` and `key_ops` convey consistent information..
Condition: If both members are present in a JWK.
if both are used, the information they convey MUST be consistent.
Validation Guidance
Reject a `key_ops` array containing duplicate values, including duplicate `encrypt` entries.
Allow `key_ops` to be absent unless the application requires its presence.
Warn when `encrypt` is combined with unrelated operations; `encrypt` and `decrypt` are the related permitted pair identified by this section.
Warn when both `use` and `key_ops` are present.
Reject or flag as invalid a JWK whose `use` and `key_ops` values convey inconsistent information.
Compare `encrypt` case-sensitively; differently cased strings are not the RFC-defined `encrypt` value.
Security Notes
RFC 7517 - Section 4.3
Specifying multiple unrelated key operations can create vulnerabilities associated with using the same key with multiple algorithms.
Reference
Details
- Entry Id
encrypt- Key Operation Value
encrypt- Key Operation Description
Encrypt content- Change Controller
IESG- Reference
RFC7517 - Section 4.3