oauth2.dev

encrypt

IESG

Registry Context

`encrypt` indicates that a JWK is intended to encrypt content.

Technical Summary

RFC 7517 Section 4.3 defines `encrypt` as a case-sensitive value in the `key_ops` array. Duplicate values are prohibited, unrelated operation combinations are discouraged, and `key_ops` must be consistent with `use` when both members are present.

When Used

When identifying a JWK as intended for content encryption.

Normative Requirements

JWK producers

MUST NOT
1
  1. RFC 7517 - Section 4.3

    Include duplicate key operation values in the `key_ops` array..

    Condition: When constructing a `key_ops` array, including one containing `encrypt`.

    Duplicate key operation values MUST NOT be present in the array.

SHOULD NOT
3
  1. RFC 7517 - Section 4.3

    Specify multiple unrelated key operations for one key..

    Condition: When defining a key's operations, including `encrypt`.

    Multiple unrelated key operations SHOULD NOT be specified for a key

  2. RFC 7517 - Section 4.3

    Combine `encrypt` with operations other than its related `decrypt` operation..

    Condition: When specifying multiple operations in `key_ops`.

    "encrypt" with "decrypt" ... [is] permitted, but other combinations SHOULD NOT be used.

  3. RFC 7517 - Section 4.3

    Use the `use` and `key_ops` members together..

    Condition: When describing a JWK's intended use or operations.

    The "use" and "key_ops" JWK members SHOULD NOT be used together

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    Include the `key_ops` member..

    Condition: Unless the application requires its presence.

    Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.

JWK producers and processors

MUST
1
  1. RFC 7517 - Section 4.3

    Ensure that `use` and `key_ops` convey consistent information..

    Condition: If both members are present in a JWK.

    if both are used, the information they convey MUST be consistent.

Validation Guidance

error

Reject a `key_ops` array containing duplicate values, including duplicate `encrypt` entries.

info

Allow `key_ops` to be absent unless the application requires its presence.

warning

Warn when `encrypt` is combined with unrelated operations; `encrypt` and `decrypt` are the related permitted pair identified by this section.

warning

Warn when both `use` and `key_ops` are present.

error

Reject or flag as invalid a JWK whose `use` and `key_ops` values convey inconsistent information.

error

Compare `encrypt` case-sensitively; differently cased strings are not the RFC-defined `encrypt` value.

Security Notes

RFC 7517 - Section 4.3

Specifying multiple unrelated key operations can create vulnerabilities associated with using the same key with multiple algorithms.

Reference

Details

Entry Id
encrypt
Key Operation Value
encrypt
Key Operation Description
Encrypt content
Change Controller
IESG
Reference
RFC7517 - Section 4.3