oauth2.dev

key_ops

IESG

Registry Context

`key_ops` identifies the operations for which a JWK is intended to be used. It is optional unless required by the application, permits extension values, and discourages unrelated operation combinations and simultaneous use with `use`.

Technical Summary

RFC 7517 Section 4.3 defines `key_ops` as an array of case-sensitive key-operation strings. Duplicate values are prohibited. Extension values are permitted. Multiple unrelated operations are discouraged, and when `use` and `key_ops` both occur, their information must be consistent.

When Used

Use this when generating, validating, or interpreting operation constraints on public, private, or symmetric JWKs.

Normative Requirements

producer

MUST NOT
1

  1. RFC 7517 - Section 4.3

    Include duplicate key-operation values in the `key_ops` array..

    Condition: When constructing a JWK containing `key_ops`.

    Duplicate key operation values MUST NOT be present in the array.

MUST
1

  1. RFC 7517 - Section 4.3

    Ensure that `use` and `key_ops` convey consistent information..

    Condition: If both members are used in the same JWK.

    If both are used, the information they convey MUST be consistent.

SHOULD NOT
2

  1. RFC 7517 - Section 4.3

    Specify multiple unrelated key operations for one key or use combinations other than `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`..

    Condition: When assigning multiple operations to a key.

    Multiple unrelated key operations SHOULD NOT be specified, and other combinations SHOULD NOT be used.

  2. RFC 7517 - Section 4.3

    Use the `use` and `key_ops` members together in the same JWK..

    The `use` and `key_ops` JWK members SHOULD NOT be used together.

MAY
1

  1. RFC 7517 - Section 4.3

    Use key-operation values other than those defined by RFC 7517..

    Condition: When constructing a `key_ops` array.

    Other values MAY be used.

OPTIONAL
1

  1. RFC 7517 - Section 4.3

    Include the `key_ops` member..

    Condition: Unless the application requires its presence.

    Use of the `key_ops` member is OPTIONAL, unless the application requires its presence.

Validation Guidance

error

Verify that `key_ops` is an array and that its entries are case-sensitive strings.

error

Reject duplicate entries in the `key_ops` array.

info

Allow extension values rather than requiring every value to be one of the values initially defined by RFC 7517.

warning

Warn when multiple operations are not one of the permitted related pairs: `sign` with `verify`, `encrypt` with `decrypt`, or `wrapKey` with `unwrapKey`.

error

Warn when `use` and `key_ops` are both present, and reject the JWK if they convey inconsistent information.

Security Notes

RFC 7517 - Section 4.3

Multiple unrelated operations are discouraged because using the same key with multiple algorithms can create vulnerabilities.

Reference

RFC7517 - Section 4.3

Details

Entry Id
key_ops
Parameter Name
key_ops
Parameter Description
Key Operations
Used With Kty Value
*
Parameter Information Class
Public
Change Controller
IESG
Reference
RFC7517 - Section 4.3