oauth2.dev

wrapKey

IESG

Registry Context

wrapKey is the JWK key operation for encrypting a key.

Technical Summary

`wrapKey` is a defined and registered value for a JWK `key_ops` array, indicating that the key is intended to encrypt another key.

When Used

When a JWK is intended for key wrapping, meaning encryption of another key.

Normative Requirements

Application assigning key operations to a JWK

SHOULD NOT
1
  1. RFC 7517 - Section 4.3

    Specify multiple unrelated key operations for the key..

    Multiple unrelated key operations SHOULD NOT be specified for a key

Application defining a JWK

SHOULD NOT
1
  1. RFC 7517 - Section 4.3

    Use the `use` and `key_ops` members together..

    The "use" and "key_ops" JWK members SHOULD NOT be used together

OPTIONAL
1
  1. RFC 7517 - Section 4.3

    Include the `key_ops` member..

    Condition: Unless the application requires its presence.

    Use of the "key_ops" member is OPTIONAL, unless the application requires its presence.

Application defining or processing a JWK

MUST
1
  1. RFC 7517 - Section 4.3

    Ensure that the `use` and `key_ops` members convey consistent information..

    Condition: If both members are used.

    if both are used, the information they convey MUST be consistent

Application generating a JWK `key_ops` array

MUST NOT
1
  1. RFC 7517 - Section 4.3

    Include duplicate key operation values in the array..

    Duplicate key operation values MUST NOT be present in the array.

Application processing a JWK `key_ops` array

MAY
1
  1. RFC 7517 - Section 4.3

    Use key operation values other than those defined by RFC 7517..

    Other values MAY be used.

Validation Guidance

error

Reject `key_ops` arrays containing duplicate values.

error

Compare `wrapKey` and other `key_ops` values case-sensitively.

info

Allow unrecognized key operation values unless application policy restricts them.

info

Allow omission of `key_ops` unless application policy requires it.

warning

Warn when `wrapKey` is combined with operations other than `unwrapKey`.

warning

Warn when both `use` and `key_ops` are present.

error

Reject a JWK when `use` and `key_ops` are both present but convey inconsistent intended uses.

Security Notes

RFC 7517 - Section 4.3

Specifying multiple unrelated key operations can create vulnerabilities associated with using the same key with multiple algorithms.

Reference

Details

Entry Id
wrapKey
Key Operation Value
wrapKey
Key Operation Description
Encrypt key
Change Controller
IESG
Reference
RFC7517 - Section 4.3