unwrapKey
Registry Context
`unwrapKey` identifies a key intended to decrypt an encrypted key and validate the decryption, if applicable.
Technical Summary
`unwrapKey` is a case-sensitive JWK `key_ops` value defined by RFC 7517 for decrypting a key and validating the decryption, if applicable.
When Used
Use `unwrapKey` in a JWK `key_ops` array to identify a key intended for key unwrapping.
Normative Requirements
Unspecified actor
RFC 7517 - Section 4.3
Duplicate key operation values must not be present in a JWK `key_ops` array..
Condition: When a JWK contains a `key_ops` array.
“Duplicate key operation values MUST NOT be present in the array.”
RFC 7517 - Section 4.3
The information conveyed by the JWK `use` and `key_ops` members must be consistent..
Condition: If both members are used.
“if both are used, the information they convey MUST be consistent.”
RFC 7517 - Section 4.3
Multiple unrelated key operations should not be specified for a key, and combinations other than the identified related pairs should not be used..
Condition: When specifying multiple operations in `key_ops`; `wrapKey` with `unwrapKey` is an identified permitted combination.
“Multiple unrelated key operations SHOULD NOT be specified for a key” and “other combinations SHOULD NOT be used.”
RFC 7517 - Section 4.3
The JWK `use` and `key_ops` members should not be used together..
Condition: When describing the intended use or operations of a JWK.
“The "use" and "key_ops" JWK members SHOULD NOT be used together”
RFC 7517 - Section 8.3.1
A registered key operation name should be short and should not exceed 8 characters without a compelling reason..
Condition: When requesting registration of a JWK key operation value.
“it is RECOMMENDED that the name be short -- not to exceed 8 characters without a compelling reason”
RFC 7517 - Section 4.3
The JWK `key_ops` member is optional..
Condition: Unless the application requires its presence.
“Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.”
Validation Guidance
Verify that the value is spelled exactly `unwrapKey`; key operation values are case-sensitive strings.
Reject a JWK `key_ops` array containing `unwrapKey` more than once.
Flag combinations of `unwrapKey` with unrelated operations; `wrapKey` with `unwrapKey` is expressly permitted.
Flag a JWK that uses both `use` and `key_ops`.
If both `use` and `key_ops` are present, reject inconsistent intended-use information.
Security Notes
RFC 7517 - Section 4.3
Specifying multiple unrelated operations can expose a key to vulnerabilities associated with using the same key with multiple algorithms.
Reference
Details
- Entry Id
unwrapKey- Key Operation Value
unwrapKey- Key Operation Description
Decrypt key and validate decryption, if applicable- Change Controller
IESG- Reference
RFC7517 - Section 4.3