From 4405b2b4dcb96020aecd14b0772d5cb5a4256f68 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 2 Mar 2026 20:07:14 +0100 Subject: [PATCH 1/4] Revise algorithm verification requirements I believe you want to address the essence of what draft-tschofenig-jose-key-identifier-security says in this section and I have tried to make it more clear. Just a different wording. FWIW if you read through the rest of the mitigations you will see that this section alone would prevent many of the problems. --- draft-ietf-oauth-rfc8725bis.md | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/draft-ietf-oauth-rfc8725bis.md b/draft-ietf-oauth-rfc8725bis.md index 02da712..e148a16 100644 --- a/draft-ietf-oauth-rfc8725bis.md +++ b/draft-ietf-oauth-rfc8725bis.md @@ -458,12 +458,21 @@ to mitigate the threats listed in the preceding section. ## Perform Algorithm Verification {#algorithm-verification} - Libraries MUST enable the caller to specify a - supported set of algorithms and MUST NOT use any other algorithms when performing cryptographic operations. -The library MUST ensure that the "alg" or "enc" header specifies the same algorithm -that is used for the cryptographic operation. -Moreover, each key MUST be used with exactly one algorithm, -and this MUST be checked when the cryptographic operation is performed. +Libraries MUST provide a mechanism that enables developers to explicitly restrict +the set of algorithms permitted for use and MUST NOT employ any algorithms outside +this configured set when performing cryptographic operations. + +The library MUST verify that the algorithm specified in the "alg" or "enc" header +is consistent with the algorithm associated with the key identified by the +corresponding identifier (e.g., "kid") during key lookup. + +In other words, when a recipient receives a JWT from bob.example.com, it MUST consult +its locally configured policy to determine which algorithms are permitted for that +sender and ensure that the received JWT complies with those expectations. + +In accordance with established cryptographic best practices, each key MUST be bound +to exactly one algorithm. Compliance with this requirement MUST be enforced and +validated at the time the cryptographic operation is executed. Libraries SHOULD opt for defensive security policies to cope with potential issues in the underlying infrastructure, such From b8a426774a74a945db4e2e5a7943888271f351ef Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 2 Mar 2026 13:22:12 -0800 Subject: [PATCH 2/4] Apply suggestion from @selfissued --- draft-ietf-oauth-rfc8725bis.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-rfc8725bis.md b/draft-ietf-oauth-rfc8725bis.md index e148a16..44e8e1b 100644 --- a/draft-ietf-oauth-rfc8725bis.md +++ b/draft-ietf-oauth-rfc8725bis.md @@ -462,7 +462,7 @@ Libraries MUST provide a mechanism that enables developers to explicitly restric the set of algorithms permitted for use and MUST NOT employ any algorithms outside this configured set when performing cryptographic operations. -The library MUST verify that the algorithm specified in the "alg" or "enc" header +The library MUST verify that the algorithm specified in the "alg" or "enc" header parameter is consistent with the algorithm associated with the key identified by the corresponding identifier (e.g., "kid") during key lookup. From b38f9c73e54f5f70801479155fbbaeb3a29cd7f1 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 2 Mar 2026 13:22:24 -0800 Subject: [PATCH 3/4] Apply suggestion from @selfissued --- draft-ietf-oauth-rfc8725bis.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/draft-ietf-oauth-rfc8725bis.md b/draft-ietf-oauth-rfc8725bis.md index 44e8e1b..de00856 100644 --- a/draft-ietf-oauth-rfc8725bis.md +++ b/draft-ietf-oauth-rfc8725bis.md @@ -466,9 +466,11 @@ The library MUST verify that the algorithm specified in the "alg" or "enc" heade is consistent with the algorithm associated with the key identified by the corresponding identifier (e.g., "kid") during key lookup. -In other words, when a recipient receives a JWT from bob.example.com, it MUST consult -its locally configured policy to determine which algorithms are permitted for that -sender and ensure that the received JWT complies with those expectations. +When a recipient receives a JWT signed by a particular issuer, it MUST +determine which algorithms are permitted for that +issuer and ensure that the received JWT complies with those requirements. +It must likewise validate that the algorithms used by encrypted JWTs +are among those supported by the intended recipient. In accordance with established cryptographic best practices, each key MUST be bound to exactly one algorithm. Compliance with this requirement MUST be enforced and From 092132208cc923b3d63ced02b263a111c0a0b994 Mon Sep 17 00:00:00 2001 From: "Michael B. Jones" Date: Mon, 2 Mar 2026 13:22:32 -0800 Subject: [PATCH 4/4] Apply suggestion from @selfissued --- draft-ietf-oauth-rfc8725bis.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-oauth-rfc8725bis.md b/draft-ietf-oauth-rfc8725bis.md index de00856..4641335 100644 --- a/draft-ietf-oauth-rfc8725bis.md +++ b/draft-ietf-oauth-rfc8725bis.md @@ -472,8 +472,8 @@ issuer and ensure that the received JWT complies with those requirements. It must likewise validate that the algorithms used by encrypted JWTs are among those supported by the intended recipient. -In accordance with established cryptographic best practices, each key MUST be bound -to exactly one algorithm. Compliance with this requirement MUST be enforced and +In accordance with established cryptographic best practices, each key MUST be used with +exactly one algorithm. Compliance with this requirement MUST be enforced and validated at the time the cryptographic operation is executed. Libraries SHOULD opt for defensive security policies to cope