verify
Registry Context
`verify` is the JWK key operation value for verifying a digital signature or MAC.
Technical Summary
RFC 7517 defines `verify` as a value in the JWK `key_ops` array, denoting verification of a digital signature or MAC.
When Used
Use when a JWK declares that the key is intended for signature or MAC verification.
Normative Requirements
Unspecified actor
RFC 7517 - Section 4.3
use key operation values other than those defined in RFC 7517.
Condition: when specifying a JWK `key_ops` array
Other values MAY be used.
RFC 7517 - Section 4.3
include the `key_ops` member.
Condition: unless the application requires its presence
Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.
A JWK producer
RFC 7517 - Section 4.3
include duplicate key operation values in the array.
Condition: when using the `key_ops` member
Duplicate key operation values MUST NOT be present in the array.
RFC 7517 - Section 4.3
ensure that the `use` and `key_ops` members convey consistent information.
Condition: if both members are used
If both are used, the information they convey MUST be consistent.
RFC 7517 - Section 4.3
specify multiple unrelated key operations for a key.
Multiple unrelated key operations SHOULD NOT be specified for a key because of the potential vulnerabilities associated with using the same key with multiple algorithms.
RFC 7517 - Section 4.3
use key-operation combinations other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`.
Condition: when specifying multiple operations for one key
Other combinations SHOULD NOT be used.
RFC 7517 - Section 4.3
use the `use` and `key_ops` members together.
The "use" and "key_ops" JWK members SHOULD NOT be used together.
Validation Guidance
Allow unrecognized case-sensitive `key_ops` values unless application policy restricts them.
Reject a `key_ops` array containing `verify` more than once.
Do not require `key_ops` unless the application profile requires its presence.
Warn when `verify` is combined with unrelated operations; `sign` with `verify` is the permitted pairing identified by RFC 7517.
Warn when a JWK contains both `use` and `key_ops`.
When both `use` and `key_ops` are present, reject or report them if they convey inconsistent intended uses.
Security Notes
RFC 7517 - Section 4.3
Using the same key for multiple unrelated operations can create vulnerabilities associated with using one key with multiple algorithms.
Reference
Details
- Entry Id
verify- Key Operation Value
verify- Key Operation Description
Verify digital signature or MAC- Change Controller
IESG- Reference
RFC7517 - Section 4.3