On Sat, Oct 11, 2025 at 02:52:11PM +0200, Filip Skokan wrote: > @Ilari Liusvaara <[email protected]> > > And if encrypting to multiple JWKs and there is > > a single-recipient one? Ouch. > > > I don't follow what you're describing here, when using General JWE JSON > Serialization Syntax with multiple recipients (i.e. encrypting to multiple > JWKs, but not necessarily JWKs) there's one CEK and one ciphertext, ergo > any Direct Agreement-like algorithm, albeit ECDH-ES (no KW), dir, ML-KEM-* > (no KW), or HPKE using integrated encryption, is not possible in the first > place.
All the current JWK asymmetric encryption keys (RSA-OAEP, ECDH and even JOSE-HPKE/AKP) can work just fine with one or many receipients. Even encrypt-only EC2 keys work (use:enc). The only potential footgun is specifying alg for ECDH keys, don't do that. (COSE is a bit different. It does not have use:enc, but can perform multi-recipient encryption using Direct Key Agreement[1].) [1] COSE allows all sorts of weird stuff, including plenty where I have no idea why anyone would want to do such thing (e.g., anything that involves "Rec_Recipient" or layer3). -Ilari _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
