oauth2.dev

sign

IESG

Registry Context

"sign" is a JWK key_ops value meaning that the key is intended to compute a digital signature or MAC.

Technical Summary

RFC 7517 Section 4.3 defines "sign" as a case-sensitive key operation value. The key_ops member is an array of operation values, and "sign" may be combined with "verify".

When Used

When a JWK uses key_ops to indicate that a key is intended for digital signature or MAC computation.

Normative Requirements

JWK producers

MUST NOT
1
  1. RFC 7517 - Section 4.3

    include duplicate key operation values in the key_ops array.

    Condition: when constructing a JWK key_ops member

    Duplicate key operation values MUST NOT be present in the array.

MUST
1
  1. RFC 7517 - Section 4.3

    ensure that use and key_ops convey consistent information.

    Condition: if both members are used

    if both are used, the information they convey MUST be consistent

SHOULD NOT
2
  1. RFC 7517 - Section 4.3

    specify multiple unrelated key operations for a key.

    Multiple unrelated key operations SHOULD NOT be specified for a key

  2. RFC 7517 - Section 4.3

    use the use and key_ops JWK members together.

    The "use" and "key_ops" JWK members SHOULD NOT be used together

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    include the key_ops member.

    Condition: unless the application requires its presence

    Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.

Validation Guidance

error

Report an error when a key_ops array contains duplicate values.

info

Allow key_ops to be absent unless the application requires it.

warning

Warn when a key specifies multiple unrelated operations, such as sign with encrypt.

warning

Warn whenever use and key_ops are both present.

error

Report an error when use and key_ops are both present but convey inconsistent information.

info

Compare key operation values case-sensitively; for example, do not treat "Sign" as "sign".

info

Allow "sign" and "verify" to coexist in the same key_ops array.

Security Notes

RFC 7517 - Section 4.3

Specifying multiple unrelated operations for one key can create vulnerabilities associated with using the same key with multiple algorithms.

Reference

Details

Entry Id
sign
Key Operation Value
sign
Key Operation Description
Compute digital signature or MAC
Change Controller
IESG
Reference
RFC7517 - Section 4.3