jwe
Registry Context
`jwe` carries an encrypted JSON Web Key for a symmetric proof-of-possession key inside the JWT `cnf` claim.
Technical Summary
When the presenter holds a symmetric proof-of-possession key, `cnf.jwe` contains a JWE Compact Serialization whose plaintext is the UTF-8 encoding of the symmetric JWK. The JWK is encrypted to a key known to the recipient.
When Used
Used when a JWT confirmation claim needs to convey a symmetric proof-of-possession key without exposing the key directly.
Normative Requirements
An implementation
RFC 7800 - Section 3.1
ignore confirmation members it does not understand..
Condition: In the absence of application-specific requirements for processing those members.
all confirmation members that are not understood by implementations MUST be ignored
The `cnf` claim value
RFC 7800 - Section 3.1
represent only one proof-of-possession key, with at most one of `jwk`, `jwe`, and `jku` present..
Condition: When a JWT contains a `cnf` claim.
The "cnf" claim value MUST represent only a single proof-of-possession key
Validation Guidance
Reject or flag a `cnf` object containing two or more of `jwk`, `jwe`, and `jku`.
Absent application-specific requirements, ignore unrecognized confirmation members rather than rejecting the JWT because of them.
Verify that `cnf.jwe` is a JWE Compact Serialization whose plaintext decrypts to a valid symmetric-key JWK for the intended recipient.
Security Notes
RFC 7800 - Section 3.3
`jwe` is the encrypted representation for conveying a symmetric proof-of-possession key to the recipient without exposing the key directly in the JWT claims.
Reference
Details
- Entry Id
jwe- Confirmation Method Value
jwe- Confirmation Method Description
Encrypted JSON Web Key- Change Controller
IESG- Reference
RFC7800 - Section 3.3