It is great to see "A128CBC+HS256" as a name for an AEAD algorithm (instead of 3 names for enc/int/kdf components).
The rest of the JWE spec needs further edits to properly reflect the AEAD-only model — as does the JWA spec. 1. Drop section 3.2. "Example JWE with a Separate Integrity Check"; rename section 3.1 to be "Example". The difference between an "integrated" AEAD algorithm (eg A256GCM) and a "constructed" AEAD algorithm (eg A128CBC+HS256) shouldn't be visible at this level (ie in this spec). 2. Section 5 "Message Encryption" step 1: the size of the CMK is determined by the AEAD algorithm (enc parameter value), not the size required for the block encryption algorithm. 3. Section 5 "Message Encryption". There is no mention of what the Additional Data is for the AEAD algorithm. Add a step 11b that defines what the Additional Data is. Adjust step 12 to say the (compressed) plaintext and Additional Data are passed to the AEAD algorithm. 4. Section 6 "Message Decryption". As above, a step needs to specifying what the Additional Data is. 5. Section 1 "Introduction". It would be worth mentioning that an AEAD algorithm is used to provide confidentiality and integrity, along with the model of an AEAD algorithm (fixed length symmetric key; plaintext and Additional Data inputs; iv?; ciphertext and integrity tag outputs). 6. Section 4.1.2. ""enc" (Encryption Method) Header Parameter". Say it is an AEAD algorithm. Explicitly state that the "enc" value must imply a specific key length. A specific key length is required for key agreement or for generating a random CMK. In JWA: 7. Section 4.8.3 "Integrity Calculation for "A128CBC+HS256" and "A256CBC+HS512"" should refer to the Authenticated Data passed to the algorithm. It should not redefine how the Authenticated Data is built from dots and base64url-encodings. 8. Section 4.9 "Plaintext Encryption with AES GCM" similarly should not redefine how the Authenticated Data is built. Choosing to only support AEAD algorithms was a good choice. It should make it easier to understand the security properties. However, at the moment different AEAD algorithm use different inputs for the Authenticated Data portion, which really undermines any understanding of the security. -- James Manger _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
