oauth2.dev

verify

IESG

Registry Context

`verify` is the JWK key operation value for verifying a digital signature or MAC.

Technical Summary

RFC 7517 defines `verify` as a value in the JWK `key_ops` array, denoting verification of a digital signature or MAC.

When Used

Use when a JWK declares that the key is intended for signature or MAC verification.

Normative Requirements

Unspecified actor

MAY
1
  1. RFC 7517 - Section 4.3

    use key operation values other than those defined in RFC 7517.

    Condition: when specifying a JWK `key_ops` array

    Other values MAY be used.

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    include the `key_ops` member.

    Condition: unless the application requires its presence

    Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.

A JWK producer

MUST NOT
1
  1. RFC 7517 - Section 4.3

    include duplicate key operation values in the array.

    Condition: when using the `key_ops` member

    Duplicate key operation values MUST NOT be present in the array.

MUST
1
  1. RFC 7517 - Section 4.3

    ensure that the `use` and `key_ops` members convey consistent information.

    Condition: if both members are used

    If both are used, the information they convey MUST be consistent.

SHOULD NOT
3
  1. RFC 7517 - Section 4.3

    specify multiple unrelated key operations for a key.

    Multiple unrelated key operations SHOULD NOT be specified for a key because of the potential vulnerabilities associated with using the same key with multiple algorithms.

  2. RFC 7517 - Section 4.3

    use key-operation combinations other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`.

    Condition: when specifying multiple operations for one key

    Other combinations SHOULD NOT be used.

  3. RFC 7517 - Section 4.3

    use the `use` and `key_ops` members together.

    The "use" and "key_ops" JWK members SHOULD NOT be used together.

Validation Guidance

info

Allow unrecognized case-sensitive `key_ops` values unless application policy restricts them.

error

Reject a `key_ops` array containing `verify` more than once.

info

Do not require `key_ops` unless the application profile requires its presence.

warning

Warn when `verify` is combined with unrelated operations; `sign` with `verify` is the permitted pairing identified by RFC 7517.

warning

Warn when a JWK contains both `use` and `key_ops`.

error

When both `use` and `key_ops` are present, reject or report them if they convey inconsistent intended uses.

Security Notes

RFC 7517 - Section 4.3

Using the same key for multiple unrelated operations can create vulnerabilities associated with using one key with multiple algorithms.

Reference

Details

Entry Id
verify
Key Operation Value
verify
Key Operation Description
Verify digital signature or MAC
Change Controller
IESG
Reference
RFC7517 - Section 4.3