jwk
Registry Context
`jwk` identifies a proof-of-possession key by embedding its JSON Web Key representation in the JWT `cnf` claim.
Technical Summary
For an asymmetric private key held by the presenter, `cnf.jwk` contains the corresponding asymmetric public JWK. It may directly contain a symmetric-key JWK only when the JWT is encrypted; otherwise, the symmetric key must use the encrypted representation described by RFC 7800.
When Used
To convey the public key corresponding to a presenter's asymmetric private key, or a symmetric-key JWK when the JWT itself is encrypted.
Normative Requirements
A symmetric key
RFC 7800 - Section 3.2
be encrypted as described in the following section of RFC 7800..
Condition: If the JWT is not encrypted.
If the JWT is not encrypted, the symmetric key MUST be encrypted as described below.
The `jwk` member
RFC 7800 - Section 3.2
be used for a JWK representing a symmetric key..
Condition: Provided that the JWT is encrypted so that the key is not revealed to unintended parties.
The "jwk" member MAY also be used for a JWK representing a symmetric key.
The JWK carried in `cnf.jwk`
RFC 7800 - Section 3.2
contain the required key members for its JWK key type..
Condition: When the `jwk` confirmation method is used.
The JWK MUST contain the required key members for a JWK of that key type.
RFC 7800 - Section 3.2
contain other JWK members, including `kid`..
Condition: When the `jwk` confirmation method is used.
MAY contain other JWK members, including the "kid" (Key ID) member.
Validation Guidance
Reject a `cnf.jwk` value that lacks required members for its JWK key type.
Allow additional JWK members, including `kid`, in `cnf.jwk`.
Reject a directly represented symmetric-key `cnf.jwk` when the JWT is not encrypted; an encrypted symmetric-key representation is required instead.
Security Notes
RFC 7800 - Section 3.2
A symmetric-key JWK may be directly carried in `cnf.jwk` only when the JWT is encrypted so that the key is not revealed to unintended parties. Otherwise, the symmetric key must be encrypted.
Reference
Details
- Entry Id
jwk- Confirmation Method Value
jwk- Confirmation Method Description
JSON Web Key Representing Public Key- Change Controller
IESG- Reference
RFC7800 - Section 3.2