idnits 2.17.1 

draft-ietf-jose-json-web-encryption-15.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD',
     or 'RECOMMENDED' is not an accepted usage according to RFC 2119.  Please
     use uppercase 'NOT' together with RFC 2119 keywords (if that is what you
     mean).
     
     Found 'MUST not' in this paragraph:
     
     The "crit" (critical) header parameter indicates that extensions to
     [[ this specification ]] are being used that MUST be understood and
     processed.  Its value is an array listing the header parameter names
     defined by those extensions that are used in the JWE Header.  If any of
     the listed extension header parameters are not understood and supported
     by the receiver, it MUST reject the JWE.  Senders MUST NOT include header
     parameter names defined by [[ this specification ]] or by [JWA] for use
     with JWE, duplicate names, or names that do not occur as header parameter
     names within the JWE Header in the "crit" list.  Senders MUST not use the
     empty list "[]" as the "crit" value. Recipients MAY reject the JWE if the
     critical list contains any header parameter names defined by [[ this
     specification ]] or by [JWA] for use with JWE, or any other constraints
     on its use are violated.  This header parameter MUST be integrity
     protected, and therefore MUST occur only with the JWE Protected Header,
     when used. Use of this header parameter is OPTIONAL.  This header
     parameter MUST be understood by implementations.

  -- The document date (September 3, 2013) is 3889 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  -- Looks like a reference, but probably isn't: '227' on line 1414

  -- Looks like a reference, but probably isn't: '197' on line 1414

  -- Looks like a reference, but probably isn't: '117' on line 1414

  -- Looks like a reference, but probably isn't: '252' on line 1414

  -- Looks like a reference, but probably isn't: '2' on line 1414

  -- Looks like a reference, but probably isn't: '219' on line 1414

  -- Looks like a reference, but probably isn't: '233' on line 1414

  -- Looks like a reference, but probably isn't: '68' on line 1414

  -- Looks like a reference, but probably isn't: '180' on line 1414

  -- Looks like a reference, but probably isn't: '225' on line 1414

  -- Looks like a reference, but probably isn't: '77' on line 1414

  -- Looks like a reference, but probably isn't: '0' on line 2032

  -- Looks like a reference, but probably isn't: '1' on line 2032

  -- Looks like a reference, but probably isn't: '152' on line 2032

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ECMAScript'

  -- Possible downref: Non-RFC (?) normative reference: ref. 'ITU.X690.1994'

  ** Downref: Normative reference to an Historic RFC: RFC 1421

  ** Downref: Normative reference to an Informational RFC: RFC 1951

  ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110)

  ** Obsolete normative reference: RFC 4627 (Obsoleted by RFC 7158, RFC 7159)

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)

  == Outdated reference: A later version (-05) exists of
     draft-mcgrew-aead-aes-cbc-hmac-sha2-01


     Summary: 5 errors (**), 0 flaws (~~), 3 warnings (==), 18 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	JOSE Working Group                                              M. Jones
3	Internet-Draft                                                 Microsoft
4	Intended status: Standards Track                             E. Rescorla
5	Expires: March 7, 2014                                              RTFM
6	                                                           J. Hildebrand
7	                                                                   Cisco
8	                                                       September 3, 2013

10	                       JSON Web Encryption (JWE)
11	                 draft-ietf-jose-json-web-encryption-15

13	Abstract

15	   JSON Web Encryption (JWE) represents encrypted content using
16	   JavaScript Object Notation (JSON) based data structures.
17	   Cryptographic algorithms and identifiers for use with this
18	   specification are described in the separate JSON Web Algorithms (JWA)
19	   specification and IANA registries defined by that specification.
20	   Related digital signature and MAC capabilities are described in the
21	   separate JSON Web Signature (JWS) specification.

23	Status of this Memo

25	   This Internet-Draft is submitted in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF).  Note that other groups may also distribute
30	   working documents as Internet-Drafts.  The list of current Internet-
31	   Drafts is at http://datatracker.ietf.org/drafts/current/.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   This Internet-Draft will expire on March 7, 2014.

40	Copyright Notice

42	   Copyright (c) 2013 IETF Trust and the persons identified as the
43	   document authors.  All rights reserved.

45	   This document is subject to BCP 78 and the IETF Trust's Legal
46	   Provisions Relating to IETF Documents
47	   (http://trustee.ietf.org/license-info) in effect on the date of
48	   publication of this document.  Please review these documents
49	   carefully, as they describe your rights and restrictions with respect
50	   to this document.  Code Components extracted from this document must
51	   include Simplified BSD License text as described in Section 4.e of
52	   the Trust Legal Provisions and are provided without warranty as
53	   described in the Simplified BSD License.

55	Table of Contents

57	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
58	     1.1.  Notational Conventions . . . . . . . . . . . . . . . . . .  5
59	   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  5
60	   3.  JSON Web Encryption (JWE) Overview . . . . . . . . . . . . . .  8
61	     3.1.  Example JWE  . . . . . . . . . . . . . . . . . . . . . . .  9
62	   4.  JWE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 10
63	     4.1.  Reserved Header Parameter Names  . . . . . . . . . . . . . 11
64	       4.1.1.  "alg" (Algorithm) Header Parameter . . . . . . . . . . 11
65	       4.1.2.  "enc" (Encryption Method) Header Parameter . . . . . . 11
66	       4.1.3.  "zip" (Compression Algorithm) Header Parameter . . . . 12
67	       4.1.4.  "jku" (JWK Set URL) Header Parameter . . . . . . . . . 12
68	       4.1.5.  "jwk" (JSON Web Key) Header Parameter  . . . . . . . . 12
69	       4.1.6.  "x5u" (X.509 URL) Header Parameter . . . . . . . . . . 12
70	       4.1.7.  "x5t" (X.509 Certificate Thumbprint) Header
71	               Parameter  . . . . . . . . . . . . . . . . . . . . . . 13
72	       4.1.8.  "x5c" (X.509 Certificate Chain) Header Parameter . . . 13
73	       4.1.9.  "kid" (Key ID) Header Parameter  . . . . . . . . . . . 14
74	       4.1.10. "typ" (Type) Header Parameter  . . . . . . . . . . . . 14
75	       4.1.11. "cty" (Content Type) Header Parameter  . . . . . . . . 14
76	       4.1.12. "crit" (Critical) Header Parameter . . . . . . . . . . 15
77	     4.2.  Public Header Parameter Names  . . . . . . . . . . . . . . 15
78	     4.3.  Private Header Parameter Names . . . . . . . . . . . . . . 15
79	   5.  Producing and Consuming JWEs . . . . . . . . . . . . . . . . . 16
80	     5.1.  Message Encryption . . . . . . . . . . . . . . . . . . . . 16
81	     5.2.  Message Decryption . . . . . . . . . . . . . . . . . . . . 18
82	     5.3.  String Comparison Rules  . . . . . . . . . . . . . . . . . 20
83	   6.  Key Identification . . . . . . . . . . . . . . . . . . . . . . 20
84	   7.  Serializations . . . . . . . . . . . . . . . . . . . . . . . . 21
85	     7.1.  JWE Compact Serialization  . . . . . . . . . . . . . . . . 21
86	     7.2.  JWE JSON Serialization . . . . . . . . . . . . . . . . . . 21
87	   8.  Distinguishing Between JWS and JWE Objects . . . . . . . . . . 24
88	   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 25
89	     9.1.  Registration of JWE Header Parameter Names . . . . . . . . 25
90	       9.1.1.  Registry Contents  . . . . . . . . . . . . . . . . . . 25
91	   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 26
92	   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27
93	     11.1. Normative References . . . . . . . . . . . . . . . . . . . 27
94	     11.2. Informative References . . . . . . . . . . . . . . . . . . 28
95	   Appendix A.  JWE Examples  . . . . . . . . . . . . . . . . . . . . 29
96	     A.1.  Example JWE using RSAES OAEP and AES GCM . . . . . . . . . 29
97	       A.1.1.  JWE Header . . . . . . . . . . . . . . . . . . . . . . 29
98	       A.1.2.  Encoded JWE Header . . . . . . . . . . . . . . . . . . 29
99	       A.1.3.  Content Encryption Key (CEK) . . . . . . . . . . . . . 30
100	       A.1.4.  Key Encryption . . . . . . . . . . . . . . . . . . . . 30
101	       A.1.5.  Encoded JWE Encrypted Key  . . . . . . . . . . . . . . 31
102	       A.1.6.  Initialization Vector  . . . . . . . . . . . . . . . . 31
103	       A.1.7.  Additional Authenticated Data  . . . . . . . . . . . . 31
104	       A.1.8.  Plaintext Encryption . . . . . . . . . . . . . . . . . 31
105	       A.1.9.  Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 32
106	       A.1.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 32
107	       A.1.11. Complete Representation  . . . . . . . . . . . . . . . 32
108	       A.1.12. Validation . . . . . . . . . . . . . . . . . . . . . . 33
109	     A.2.  Example JWE using RSAES-PKCS1-V1_5 and
110	           AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 33
111	       A.2.1.  JWE Header . . . . . . . . . . . . . . . . . . . . . . 33
112	       A.2.2.  Encoded JWE Header . . . . . . . . . . . . . . . . . . 33
113	       A.2.3.  Content Encryption Key (CEK) . . . . . . . . . . . . . 33
114	       A.2.4.  Key Encryption . . . . . . . . . . . . . . . . . . . . 34
115	       A.2.5.  Encoded JWE Encrypted Key  . . . . . . . . . . . . . . 35
116	       A.2.6.  Initialization Vector  . . . . . . . . . . . . . . . . 35
117	       A.2.7.  Additional Authenticated Data  . . . . . . . . . . . . 35
118	       A.2.8.  Plaintext Encryption . . . . . . . . . . . . . . . . . 35
119	       A.2.9.  Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 36
120	       A.2.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 36
121	       A.2.11. Complete Representation  . . . . . . . . . . . . . . . 36
122	       A.2.12. Validation . . . . . . . . . . . . . . . . . . . . . . 36
123	     A.3.  Example JWE using AES Key Wrap and
124	           AES_128_CBC_HMAC_SHA_256 . . . . . . . . . . . . . . . . . 37
125	       A.3.1.  JWE Header . . . . . . . . . . . . . . . . . . . . . . 37
126	       A.3.2.  Encoded JWE Header . . . . . . . . . . . . . . . . . . 37
127	       A.3.3.  Content Encryption Key (CEK) . . . . . . . . . . . . . 37
128	       A.3.4.  Key Encryption . . . . . . . . . . . . . . . . . . . . 37
129	       A.3.5.  Encoded JWE Encrypted Key  . . . . . . . . . . . . . . 38
130	       A.3.6.  Initialization Vector  . . . . . . . . . . . . . . . . 38
131	       A.3.7.  Additional Authenticated Data  . . . . . . . . . . . . 38
132	       A.3.8.  Plaintext Encryption . . . . . . . . . . . . . . . . . 38
133	       A.3.9.  Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 39
134	       A.3.10. Encoded JWE Authentication Tag . . . . . . . . . . . . 39
135	       A.3.11. Complete Representation  . . . . . . . . . . . . . . . 39
136	       A.3.12. Validation . . . . . . . . . . . . . . . . . . . . . . 40
137	     A.4.  Example JWE Using JWE JSON Serialization . . . . . . . . . 40
138	       A.4.1.  JWE Per-Recipient Unprotected Headers  . . . . . . . . 40
139	       A.4.2.  JWE Protected Header . . . . . . . . . . . . . . . . . 40
140	       A.4.3.  JWE Unprotected Header . . . . . . . . . . . . . . . . 41
141	       A.4.4.  Complete JWE Header Values . . . . . . . . . . . . . . 41
142	       A.4.5.  Additional Authenticated Data  . . . . . . . . . . . . 41
143	       A.4.6.  Plaintext Encryption . . . . . . . . . . . . . . . . . 41
144	       A.4.7.  Encoded JWE Ciphertext . . . . . . . . . . . . . . . . 42
145	       A.4.8.  Encoded JWE Authentication Tag . . . . . . . . . . . . 42
146	       A.4.9.  Complete JWE JSON Serialization Representation . . . . 42
147	   Appendix B.  Example AES_128_CBC_HMAC_SHA_256 Computation  . . . . 43
148	     B.1.  Extract MAC_KEY and ENC_KEY from Key . . . . . . . . . . . 43
149	     B.2.  Encrypt Plaintext to Create Ciphertext . . . . . . . . . . 44
150	     B.3.  64 Bit Big Endian Representation of AAD Length . . . . . . 44
151	     B.4.  Initialization Vector Value  . . . . . . . . . . . . . . . 44
152	     B.5.  Create Input to HMAC Computation . . . . . . . . . . . . . 45
153	     B.6.  Compute HMAC Value . . . . . . . . . . . . . . . . . . . . 45
154	     B.7.  Truncate HMAC Value to Create Authentication Tag . . . . . 45
155	   Appendix C.  Acknowledgements  . . . . . . . . . . . . . . . . . . 45
156	   Appendix D.  Document History  . . . . . . . . . . . . . . . . . . 46
157	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 53

159	1.  Introduction

161	   JSON Web Encryption (JWE) represents encrypted content using
162	   JavaScript Object Notation (JSON) [RFC4627] based data structures.
163	   The JWE cryptographic mechanisms encrypt and provide integrity
164	   protection for an arbitrary sequence of octets.

166	   Two closely related serializations for JWE objects are defined.  The
167	   JWE Compact Serialization is a compact, URL-safe representation
168	   intended for space constrained environments such as HTTP
169	   Authorization headers and URI query parameters.  The JWE JSON
170	   Serialization represents JWE objects as JSON objects and enables the
171	   same content to be encrypted to multiple parties.  Both share the
172	   same cryptographic underpinnings.

174	   Cryptographic algorithms and identifiers for use with this
175	   specification are described in the separate JSON Web Algorithms (JWA)
176	   [JWA] specification and IANA registries defined by that
177	   specification.  Related digital signature and MAC capabilities are
178	   described in the separate JSON Web Signature (JWS) [JWS]
179	   specification.

181	   Names defined by this specification are short because a core goal is
182	   for the resulting representations to be compact.

184	1.1.  Notational Conventions

186	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
187	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
188	   document are to be interpreted as described in Key words for use in
189	   RFCs to Indicate Requirement Levels [RFC2119].

191	2.  Terminology

193	   JSON Web Encryption (JWE)  A data structure representing an encrypted
194	      message.  The structure represents five values: the JWE Header,
195	      the JWE Encrypted Key, the JWE Initialization Vector, the JWE
196	      Ciphertext, and the JWE Authentication Tag.

198	   Authenticated Encryption with Associated Data (AEAD)  An AEAD
199	      algorithm is one that encrypts the Plaintext, allows Additional
200	      Authenticated Data to be specified, and provides an integrated
201	      content integrity check over the Ciphertext and Additional
202	      Authenticated Data.  AEAD algorithms accept two inputs, the
203	      Plaintext and the Additional Authenticated Data value, and produce
204	      two outputs, the Ciphertext and the Authentication Tag value.  AES
205	      Galois/Counter Mode (GCM) is one such algorithm.

207	   Plaintext  The sequence of octets to be encrypted -- a.k.a., the
208	      message.  The plaintext can contain an arbitrary sequence of
209	      octets.

211	   Ciphertext  An encrypted representation of the Plaintext.

213	   Additional Authenticated Data (AAD)  An input to an AEAD operation
214	      that is integrity protected but not encrypted.

216	   Authentication Tag  An output of an AEAD operation that ensures the
217	      integrity of the Ciphertext and the Additional Authenticated Data.
218	      Note that some algorithms may not use an Authentication Tag, in
219	      which case this value is the empty octet sequence.

221	   Content Encryption Key (CEK)  A symmetric key for the AEAD algorithm
222	      used to encrypt the Plaintext for the recipient to produce the
223	      Ciphertext and the Authentication Tag.

225	   JSON Text Object  A UTF-8 [RFC3629] encoded text string representing
226	      a JSON object; the syntax of JSON objects is defined in Section
227	      2.2 of [RFC4627].

229	   JWE Header  A JSON Text Object (or JSON Text Objects, when using the
230	      JWE JSON Serialization) that describes the encryption operations
231	      applied to create the JWE Encrypted Key, the JWE Ciphertext, and
232	      the JWE Authentication Tag. The members of the JWE Header
233	      object(s) are Header Parameters.

235	   JWE Encrypted Key  The result of encrypting the Content Encryption
236	      Key (CEK) with the intended recipient's key using the specified
237	      algorithm.  Note that for some algorithms, the JWE Encrypted Key
238	      value is specified as being the empty octet sequence.

240	   JWE Initialization Vector  A sequence of octets containing the
241	      Initialization Vector used when encrypting the Plaintext.  Note
242	      that some algorithms may not use an Initialization Vector, in
243	      which case this value is the empty octet sequence.

245	   JWE Ciphertext  A sequence of octets containing the Ciphertext for a
246	      JWE.

248	   JWE Authentication Tag  A sequence of octets containing the
249	      Authentication Tag for a JWE.

251	   JWE Protected Header  A JSON Text Object that contains the portion of
252	      the JWE Header that is integrity protected.  For the JWE Compact
253	      Serialization, this comprises the entire JWE Header.  For the JWE
254	      JSON Serialization, this is one component of the JWE Header.

256	   Header Parameter  A name/value pair that is member of the JWE Header.

258	   Header Parameter Name  The name of a member of the JWE Header.

260	   Header Parameter Value  The value of a member of the JWE Header.

262	   Base64url Encoding  Base64 encoding using the URL- and filename-safe
263	      character set defined in Section 5 of RFC 4648 [RFC4648], with all
264	      trailing '=' characters omitted (as permitted by Section 3.2).
265	      (See Appendix C of [JWS] for notes on implementing base64url
266	      encoding without padding.)

268	   Encoded JWE Header  Base64url encoding of the JWE Protected Header.

270	   Encoded JWE Encrypted Key  Base64url encoding of the JWE Encrypted
271	      Key.

273	   Encoded JWE Initialization Vector  Base64url encoding of the JWE
274	      Initialization Vector.

276	   Encoded JWE Ciphertext  Base64url encoding of the JWE Ciphertext.

278	   Encoded JWE Authentication Tag  Base64url encoding of the JWE
279	      Authentication Tag.

281	   JWE Compact Serialization  A representation of the JWE as the
282	      concatenation of the Encoded JWE Header, the Encoded JWE Encrypted
283	      Key, the Encoded JWE Initialization Vector, the Encoded JWE
284	      Ciphertext, and the Encoded JWE Authentication Tag in that order,
285	      with the five strings being separated by four period ('.')
286	      characters.  This representation is compact and URL-safe.

288	   JWE JSON Serialization  A representation of the JWE as a JSON
289	      structure containing JWE Header, Encoded JWE Encrypted Key,
290	      Encoded JWE Initialization Vector, Encoded JWE Ciphertext, and
291	      Encoded JWE Authentication Tag values.  Unlike the JWE Compact
292	      Serialization, the JWE JSON Serialization enables the same content
293	      to be encrypted to multiple parties.  This representation is
294	      neither compact nor URL-safe.

296	   Collision Resistant Namespace  A namespace that allows names to be
297	      allocated in a manner such that they are highly unlikely to
298	      collide with other names.  Examples of Collision Resistant
299	      Namespaces include: Domain Names, Object Identifiers (OIDs) as
300	      defined in the ITU-T X.660 and X.670 Recommendation series, and
301	      Universally Unique IDentifiers (UUIDs) [RFC4122].  When using an
302	      administratively delegated namespace, the definer of a name needs
303	      to take reasonable precautions to ensure they are in control of
304	      the portion of the namespace they use to define the name.

306	   StringOrURI  A JSON string value, with the additional requirement
307	      that while arbitrary string values MAY be used, any value
308	      containing a ":" character MUST be a URI [RFC3986].  StringOrURI
309	      values are compared as case-sensitive strings with no
310	      transformations or canonicalizations applied.

312	   Key Management Mode  A method of determining the Content Encryption
313	      Key (CEK) value to use.  Each algorithm used for determining the
314	      CEK value uses a specific Key Management Mode.  Key Management
315	      Modes employed by this specification are Key Encryption, Key
316	      Wrapping, Direct Key Agreement, Key Agreement with Key Wrapping,
317	      and Direct Encryption.

319	   Key Encryption  A Key Management Mode in which the Content Encryption
320	      Key (CEK) value is encrypted to the intended recipient using an
321	      asymmetric encryption algorithm.

323	   Key Wrapping  A Key Management Mode in which the Content Encryption
324	      Key (CEK) value is encrypted to the intended recipient using a
325	      symmetric key wrapping algorithm.

327	   Direct Key Agreement  A Key Management Mode in which a key agreement
328	      algorithm is used to agree upon the Content Encryption Key (CEK)
329	      value.

331	   Key Agreement with Key Wrapping  A Key Management Mode in which a key
332	      agreement algorithm is used to agree upon a symmetric key used to
333	      encrypt the Content Encryption Key (CEK) value to the intended
334	      recipient using a symmetric key wrapping algorithm.

336	   Direct Encryption  A Key Management Mode in which the Content
337	      Encryption Key (CEK) value used is the secret symmetric key value
338	      shared between the parties.

340	3.  JSON Web Encryption (JWE) Overview

342	   JWE represents encrypted content using JSON data structures and
343	   base64url encoding.  Five values are represented in a JWE: the JWE
344	   Header, the JWE Encrypted Key, the JWE Initialization Vector, the JWE
345	   Ciphertext, and the JWE Authentication Tag. In the Compact
346	   Serialization, the five values are base64url-encoded for
347	   transmission, and represented as the concatenation of the encoded
348	   strings in that order, with the five strings being separated by four
349	   period ('.') characters.  A JSON Serialization for this information
350	   is also defined in Section 7.2.

352	   JWE utilizes authenticated encryption to ensure the confidentiality
353	   and integrity of the Plaintext and the integrity of the JWE Protected
354	   Header.

356	3.1.  Example JWE

358	   This example encrypts the plaintext "The true sign of intelligence is
359	   not knowledge but imagination." to the recipient using RSAES OAEP for
360	   key encryption and AES GCM for content encryption.

362	   The following example JWE Header declares that:

364	   o  the Content Encryption Key is encrypted to the recipient using the
365	      RSAES OAEP algorithm to produce the JWE Encrypted Key and

367	   o  the Plaintext is encrypted using the AES GCM algorithm with a 256
368	      bit key to produce the Ciphertext.

370	     {"alg":"RSA-OAEP","enc":"A256GCM"}

372	   Base64url encoding the octets of the UTF-8 representation of the JWE
373	   Header yields this Encoded JWE Header value:

375	     eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ

377	   The remaining steps to finish creating this JWE are:

379	   o  Generate a random Content Encryption Key (CEK).

381	   o  Encrypt the CEK with the recipient's public key using the RSAES
382	      OAEP algorithm to produce the JWE Encrypted Key.

384	   o  Base64url encode the JWE Encrypted Key to produce the Encoded JWE
385	      Encrypted Key.

387	   o  Generate a random JWE Initialization Vector.

389	   o  Base64url encode the JWE Initialization Vector to produce the
390	      Encoded JWE Initialization Vector.

392	   o  Let the Additional Authenticated Data encryption parameter be the
393	      octets of the ASCII representation of the Encoded JWE Header
394	      value.

396	   o  Encrypt the Plaintext with AES GCM using the CEK as the encryption
397	      key, the JWE Initialization Vector, and the Additional
398	      Authenticated Data value, requesting a 128 bit Authentication Tag
399	      output.

401	   o  Base64url encode the Ciphertext to create the Encoded JWE
402	      Ciphertext.

404	   o  Base64url encode the Authentication Tag to create the Encoded JWE
405	      Authentication Tag.

407	   o  Assemble the final representation: The Compact Serialization of
408	      this result is the concatenation of the Encoded JWE Header, the
409	      Encoded JWE Encrypted Key, the Encoded JWE Initialization Vector,
410	      the Encoded JWE Ciphertext, and the Encoded JWE Authentication Tag
411	      in that order, with the five strings being separated by four
412	      period ('.') characters.

414	   The final result in this example (with line breaks for display
415	   purposes only) is:

417	     eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.
418	     OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe
419	     ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb
420	     Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV
421	     mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8
422	     1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
423	     6UklfCpIMfIjf7iGdXKHzg.
424	     48V1_ALb6US04U3b.
425	     5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
426	     SdiwkIr3ajwQzaBtQD_A.
427	     XFBoMYUZodetZdvTiFvSkQ

429	   See Appendix A.1 for the complete details of computing this JWE.  See
430	   Appendix A for additional examples.

432	4.  JWE Header

434	   The members of the JSON object(s) representing the JWE Header
435	   describe the encryption applied to the Plaintext and optionally
436	   additional properties of the JWE.  The Header Parameter Names within
437	   the JWE Header MUST be unique; recipients MUST either reject JWEs
438	   with duplicate Header Parameter Names or use a JSON parser that
439	   returns only the lexically last duplicate member name, as specified
440	   in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript].

442	   Implementations are required to understand the specific header
443	   parameters defined by this specification that are designated as "MUST
444	   be understood" and process them in the manner defined in this
445	   specification.  All other header parameters defined by this
446	   specification that are not so designated MUST be ignored when not
447	   understood.  Unless listed as a critical header parameter, per
448	   Section 4.1.12, all header parameters not defined by this
449	   specification MUST be ignored when not understood.

451	   There are three classes of Header Parameter Names: Reserved Header
452	   Parameter Names, Public Header Parameter Names, and Private Header
453	   Parameter Names.

455	4.1.  Reserved Header Parameter Names

457	   The following Header Parameter Names are reserved with meanings as
458	   defined below.

460	   Additional reserved Header Parameter Names can be defined via the
461	   IANA JSON Web Signature and Encryption Header Parameters registry
462	   [JWS].  As indicated by the common registry, JWSs and JWEs share a
463	   common header parameter space; when a parameter is used by both
464	   specifications, its usage must be compatible between the
465	   specifications.

467	4.1.1.  "alg" (Algorithm) Header Parameter

469	   The "alg" (algorithm) header parameter identifies the cryptographic
470	   algorithm used to encrypt or determine the value of the Content
471	   Encryption Key (CEK).  The encrypted content is not usable if the
472	   "alg" value does not represent a supported algorithm, or if the
473	   recipient does not have a key that can be used with that algorithm.
474	   "alg" values SHOULD either be registered in the IANA JSON Web
475	   Signature and Encryption Algorithms registry [JWA] or be a value that
476	   contains a Collision Resistant Namespace.  The "alg" value is a case
477	   sensitive string containing a StringOrURI value.  Use of this header
478	   parameter is REQUIRED.  This header parameter MUST be understood by
479	   implementations.

481	   A list of defined "alg" values can be found in the IANA JSON Web
482	   Signature and Encryption Algorithms registry [JWA]; the initial
483	   contents of this registry are the values defined in Section 4.1 of
484	   the JSON Web Algorithms (JWA) [JWA] specification.

486	4.1.2.  "enc" (Encryption Method) Header Parameter

488	   The "enc" (encryption method) header parameter identifies the content
489	   encryption algorithm used to encrypt the Plaintext to produce the
490	   Ciphertext.  This algorithm MUST be an AEAD algorithm with a
491	   specified key length.  The recipient MUST reject the JWE if the "enc"
492	   value does not represent a supported algorithm. "enc" values SHOULD
493	   either be registered in the IANA JSON Web Signature and Encryption
494	   Algorithms registry [JWA] or be a value that contains a Collision
495	   Resistant Namespace.  The "enc" value is a case sensitive string
496	   containing a StringOrURI value.  Use of this header parameter is
497	   REQUIRED.  This header parameter MUST be understood by
498	   implementations.

500	   A list of defined "enc" values can be found in the IANA JSON Web
501	   Signature and Encryption Algorithms registry [JWA]; the initial
502	   contents of this registry are the values defined in Section 4.2 of
503	   the JSON Web Algorithms (JWA) [JWA] specification.

505	4.1.3.  "zip" (Compression Algorithm) Header Parameter

507	   The "zip" (compression algorithm) applied to the Plaintext before
508	   encryption, if any.  If present, the value of the "zip" header
509	   parameter MUST be the case sensitive string "DEF".  Compression is
510	   performed with the DEFLATE [RFC1951] algorithm.  If no "zip"
511	   parameter is present, no compression is applied to the Plaintext
512	   before encryption.  This header parameter MUST be integrity
513	   protected, and therefore MUST occur only with the JWE Protected
514	   Header, when used.  Use of this header parameter is OPTIONAL.  This
515	   header parameter MUST be understood by implementations.

517	4.1.4.  "jku" (JWK Set URL) Header Parameter

519	   The "jku" (JWK Set URL) header parameter is a URI [RFC3986] that
520	   refers to a resource for a set of JSON-encoded public keys, one of
521	   which is the key to which the JWE was encrypted; this can be used to
522	   determine the private key needed to decrypt the JWE.  The keys MUST
523	   be encoded as a JSON Web Key Set (JWK Set) [JWK].  The protocol used
524	   to acquire the resource MUST provide integrity protection; an HTTP
525	   GET request to retrieve the JWK Set MUST use TLS [RFC2818] [RFC5246];
526	   the identity of the server MUST be validated, as per Section 3.1 of
527	   HTTP Over TLS [RFC2818].  Use of this header parameter is OPTIONAL.

529	4.1.5.  "jwk" (JSON Web Key) Header Parameter

531	   The "jwk" (JSON Web Key) header parameter is the public key to which
532	   the JWE was encrypted; this can be used to determine the private key
533	   needed to decrypt the JWE.  This key is represented as a JSON Web Key
534	   [JWK].  Use of this header parameter is OPTIONAL.

536	4.1.6.  "x5u" (X.509 URL) Header Parameter

538	   The "x5u" (X.509 URL) header parameter is a URI [RFC3986] that refers
539	   to a resource for the X.509 public key certificate or certificate
540	   chain [RFC5280] containing the key to which the JWE was encrypted;
541	   this can be used to determine the private key needed to decrypt the
542	   JWE.  The identified resource MUST provide a representation of the
543	   certificate or certificate chain that conforms to RFC 5280 [RFC5280]
544	   in PEM encoded form [RFC1421].  The certificate containing the public
545	   key to which the JWE was encrypted MUST be the first certificate.
546	   This MAY be followed by additional certificates, with each subsequent
547	   certificate being the one used to certify the previous one.  The
548	   protocol used to acquire the resource MUST provide integrity
549	   protection; an HTTP GET request to retrieve the certificate MUST use
550	   TLS [RFC2818] [RFC5246]; the identity of the server MUST be
551	   validated, as per Section 3.1 of HTTP Over TLS [RFC2818].  Use of
552	   this header parameter is OPTIONAL.

554	4.1.7.  "x5t" (X.509 Certificate Thumbprint) Header Parameter

556	   The "x5t" (X.509 Certificate Thumbprint) header parameter is a
557	   base64url encoded SHA-1 thumbprint (a.k.a. digest) of the DER
558	   encoding of the X.509 certificate [RFC5280] containing the key to
559	   which the JWE was encrypted; this can be used to determine the
560	   private key needed to decrypt the JWE.  Use of this header parameter
561	   is OPTIONAL.

563	   If, in the future, certificate thumbprints need to be computed using
564	   hash functions other than SHA-1, it is suggested that additional
565	   related header parameters be defined for that purpose.  For example,
566	   it is suggested that a new "x5t#S256" (X.509 Certificate Thumbprint
567	   using SHA-256) header parameter could be defined by registering it in
568	   the IANA JSON Web Signature and Encryption Header Parameters registry
569	   [JWS].

571	4.1.8.  "x5c" (X.509 Certificate Chain) Header Parameter

573	   The "x5c" (X.509 Certificate Chain) header parameter contains the
574	   X.509 public key certificate or certificate chain [RFC5280]
575	   containing the key to which the JWE was encrypted; this can be used
576	   to determine the private key needed to decrypt the JWE.  The
577	   certificate or certificate chain is represented as a JSON array of
578	   certificate value strings.  Each string in the array is a base64
579	   encoded ([RFC4648] Section 4 -- not base64url encoded) DER
580	   [ITU.X690.1994] PKIX certificate value.  The certificate containing
581	   the public key to which the JWE was encrypted MUST be the first
582	   certificate.  This MAY be followed by additional certificates, with
583	   each subsequent certificate being the one used to certify the
584	   previous one.  Use of this header parameter is OPTIONAL.

586	   See Appendix B of [JWS] for an example "x5c" value.

588	4.1.9.  "kid" (Key ID) Header Parameter

590	   The "kid" (key ID) header parameter is a hint indicating which key to
591	   which the JWE was encrypted; this can be used to determine the
592	   private key needed to decrypt the JWE.  This parameter allows
593	   originators to explicitly signal a change of key to recipients.
594	   Should the recipient be unable to locate a key corresponding to the
595	   "kid" value, they SHOULD treat that condition as an error.  The
596	   interpretation of the "kid" value is unspecified.  Its value MUST be
597	   a string.  Use of this header parameter is OPTIONAL.

599	   When used with a JWK, the "kid" value can be used to match a JWK
600	   "kid" parameter value.

602	4.1.10.  "typ" (Type) Header Parameter

604	   The "typ" (type) header parameter MAY be used to declare the type of
605	   this complete JWE object in an application-specific manner in
606	   contexts where this is useful to the application.  This parameter has
607	   no effect upon the JWE processing.  The type value "JOSE" MAY be used
608	   by applications to indicate that this object is a JWS or JWE using
609	   the JWS Compact Serialization or the JWE Compact Serialization.  The
610	   type value "JOSE+JSON" MAY be used by applications to indicate that
611	   this object is a JWS or JWE using the JWS JSON Serialization or the
612	   JWE JSON Serialization.  Other type values MAY be used, and if not
613	   understood, SHOULD be ignored.  The "typ" value is a case sensitive
614	   string.  Use of this header parameter is OPTIONAL.

616	   MIME Media Type [RFC2046] values MAY be used as "typ" values.

618	   "typ" values SHOULD either be registered in the IANA JSON Web
619	   Signature and Encryption Type Values registry [JWS] or be a value
620	   that contains a Collision Resistant Namespace.

622	4.1.11.  "cty" (Content Type) Header Parameter

624	   The "cty" (content type) header parameter MAY be used to declare the
625	   type of the encrypted content (the Plaintext) in an application-
626	   specific manner in contexts where this is useful to the application.
627	   This parameter has no effect upon the JWE processing.  Content type
628	   values that are not understood SHOULD be ignored.  The "cty" value is
629	   a case sensitive string.  Use of this header parameter is OPTIONAL.

631	   The values used for the "cty" header parameter come from the same
632	   value space as the "typ" header parameter, with the same rules
633	   applying.

635	4.1.12.  "crit" (Critical) Header Parameter

637	   The "crit" (critical) header parameter indicates that extensions to
638	   [[ this specification ]] are being used that MUST be understood and
639	   processed.  Its value is an array listing the header parameter names
640	   defined by those extensions that are used in the JWE Header.  If any
641	   of the listed extension header parameters are not understood and
642	   supported by the receiver, it MUST reject the JWE.  Senders MUST NOT
643	   include header parameter names defined by [[ this specification ]] or
644	   by [JWA] for use with JWE, duplicate names, or names that do not
645	   occur as header parameter names within the JWE Header in the "crit"
646	   list.  Senders MUST not use the empty list "[]" as the "crit" value.
647	   Recipients MAY reject the JWE if the critical list contains any
648	   header parameter names defined by [[ this specification ]] or by
649	   [JWA] for use with JWE, or any other constraints on its use are
650	   violated.  This header parameter MUST be integrity protected, and
651	   therefore MUST occur only with the JWE Protected Header, when used.
652	   Use of this header parameter is OPTIONAL.  This header parameter MUST
653	   be understood by implementations.

655	   An example use, along with a hypothetical "exp" (expiration-time)
656	   field is:

658	     {"alg":"RSA-OAEP",
659	      "enc":"A256GCM",
660	      "crit":["exp"],
661	      "exp":1363284000
662	     }

664	4.2.  Public Header Parameter Names

666	   Additional Header Parameter Names can be defined by those using JWEs.
667	   However, in order to prevent collisions, any new Header Parameter
668	   Name SHOULD either be registered in the IANA JSON Web Signature and
669	   Encryption Header Parameters registry [JWS] or be a Public Name: a
670	   value that contains a Collision Resistant Namespace.  In each case,
671	   the definer of the name or value needs to take reasonable precautions
672	   to make sure they are in control of the part of the namespace they
673	   use to define the Header Parameter Name.

675	   New header parameters should be introduced sparingly, as they can
676	   result in non-interoperable JWEs.

678	4.3.  Private Header Parameter Names

680	   A producer and consumer of a JWE may agree to use Header Parameter
681	   Names that are Private Names: names that are not Reserved Names
682	   Section 4.1 or Public Names Section 4.2.  Unlike Public Names,
683	   Private Names are subject to collision and should be used with
684	   caution.

686	5.  Producing and Consuming JWEs

688	5.1.  Message Encryption

690	   The message encryption process is as follows.  The order of the steps
691	   is not significant in cases where there are no dependencies between
692	   the inputs and outputs of the steps.

694	   1.   Determine the Key Management Mode employed by the algorithm used
695	        to determine the Content Encryption Key (CEK) value.  (This is
696	        the algorithm recorded in the "alg" (algorithm) header parameter
697	        of the resulting JWE.)

699	   2.   When Key Wrapping, Key Encryption, or Key Agreement with Key
700	        Wrapping are employed, generate a random Content Encryption Key
701	        (CEK) value.  See RFC 4086 [RFC4086] for considerations on
702	        generating random values.  The CEK MUST have a length equal to
703	        that required for the content encryption algorithm.

705	   3.   When Direct Key Agreement or Key Agreement with Key Wrapping are
706	        employed, use the key agreement algorithm to compute the value
707	        of the agreed upon key.  When Direct Key Agreement is employed,
708	        let the Content Encryption Key (CEK) be the agreed upon key.
709	        When Key Agreement with Key Wrapping is employed, the agreed
710	        upon key will be used to wrap the CEK.

712	   4.   When Key Wrapping, Key Encryption, or Key Agreement with Key
713	        Wrapping are employed, encrypt the CEK to the recipient and let
714	        the result be the JWE Encrypted Key.

716	   5.   Otherwise, when Direct Key Agreement or Direct Encryption are
717	        employed, let the JWE Encrypted Key be the empty octet sequence.

719	   6.   When Direct Encryption is employed, let the Content Encryption
720	        Key (CEK) be the shared symmetric key.

722	   7.   Base64url encode the JWE Encrypted Key to create the Encoded JWE
723	        Encrypted Key.

725	   8.   If the JWE JSON Serialization is being used, repeat this process
726	        for each recipient.

728	   9.   Generate a random JWE Initialization Vector of the correct size
729	        for the content encryption algorithm (if required for the
730	        algorithm); otherwise, let the JWE Initialization Vector be the
731	        empty octet sequence.

733	   10.  Base64url encode the JWE Initialization Vector to create the
734	        Encoded JWE Initialization Vector.

736	   11.  Compress the Plaintext if a "zip" parameter was included.

738	   12.  Serialize the (compressed) Plaintext into an octet sequence M.

740	   13.  Create a JWE Header containing the encryption parameters used.
741	        Note that white space is explicitly allowed in the
742	        representation and no canonicalization need be performed before
743	        encoding.

745	   14.  Base64url encode the octets of the UTF-8 representation of the
746	        JWE Protected Header to create the Encoded JWE Header.  If the
747	        JWE Protected Header is not present (which can only happen when
748	        using the JWE JSON Serialization and no "protected" member is
749	        present), let the Encoded JWE Header be the empty string.

751	   15.  Let the Additional Authenticated Data encryption parameter be
752	        the octets of the ASCII representation of the Encoded JWE Header
753	        value.

755	   16.  Encrypt M using the CEK, the JWE Initialization Vector, and the
756	        Additional Authenticated Data value using the specified content
757	        encryption algorithm to create the JWE Ciphertext value and the
758	        JWE Authentication Tag (which is the Authentication Tag output
759	        from the encryption operation).

761	   17.  Base64url encode the JWE Ciphertext to create the Encoded JWE
762	        Ciphertext.

764	   18.  Base64url encode the JWE Authentication Tag to create the
765	        Encoded JWE Authentication Tag.

767	   19.  The five encoded parts are result values used in both the JWE
768	        Compact Serialization and the JWE JSON Serialization
769	        representations.

771	   20.  Create the desired serialized output.  The JWE Compact
772	        Serialization of this result is the concatenation of the Encoded
773	        JWE Header, the Encoded JWE Encrypted Key, the Encoded JWE
774	        Initialization Vector, the Encoded JWE Ciphertext, and the
775	        Encoded JWE Authentication Tag in that order, with the five
776	        strings being separated by four period ('.') characters.  The
777	        JWE JSON Serialization is described in Section 7.2.

779	5.2.  Message Decryption

781	   The message decryption process is the reverse of the encryption
782	   process.  The order of the steps is not significant in cases where
783	   there are no dependencies between the inputs and outputs of the
784	   steps.  If any of these steps fails, the encrypted content cannot be
785	   validated.

787	   It is an application decision which recipients' encrypted content
788	   must successfully validate for the JWE to be accepted.  In some
789	   cases, encrypted content for all recipients must successfully
790	   validate or the JWE will be rejected.  In other cases, only the
791	   encrypted content for a single recipient needs to be successfully
792	   validated.  However, in all cases, the encrypted content for at least
793	   one recipient MUST successfully validate or the JWE MUST be rejected.

795	   1.   Parse the serialized input to determine the values of the JWE
796	        Header, the Encoded JWE Encrypted Key, the Encoded JWE
797	        Initialization Vector, the Encoded JWE Ciphertext, and the
798	        Encoded JWE Authentication Tag. When using the JWE Compact
799	        Serialization, the Encoded JWE Header, the Encoded JWE Encrypted
800	        Key, the Encoded JWE Initialization Vector, the Encoded JWE
801	        Ciphertext, and the Encoded JWE Authentication Tag are
802	        represented as text strings in that order, separated by four
803	        period ('.') characters.  The JWE JSON Serialization is
804	        described in Section 7.2.

806	   2.   The Encoded JWE Header, the Encoded JWE Encrypted Key, the
807	        Encoded JWE Initialization Vector, the Encoded JWE Ciphertext,
808	        and the Encoded JWE Authentication Tag MUST be successfully
809	        base64url decoded following the restriction that no padding
810	        characters have been used.

812	   3.   The resulting JWE Protected Header MUST be a completely valid
813	        JSON object conforming to RFC 4627 [RFC4627].

815	   4.   If using the JWE Compact Serialization, let the JWE Header be
816	        the JWE Protected Header; otherwise, when using the JWE JSON
817	        Serialization, let the JWE Header be the union of the members of
818	        the JWE Protected Header, the members of the "unprotected"
819	        value, and the members of the corresponding "header" value, all
820	        of which must be completely valid JSON objects.

822	   5.   The resulting JWE Header MUST NOT contain duplicate Header
823	        Parameter Names.  When using the JWE JSON Serialization, this
824	        restriction includes that the same Header Parameter Name also
825	        MUST NOT occur in distinct JSON Text Object values that together
826	        comprise the JWE Header.

828	   6.   The resulting JWE Header MUST be validated to only include
829	        parameters and values whose syntax and semantics are both
830	        understood and supported or that are specified as being ignored
831	        when not understood.

833	   7.   Determine the Key Management Mode employed by the algorithm
834	        specified by the "alg" (algorithm) header parameter.

836	   8.   Verify that the JWE uses a key known to the recipient.

838	   9.   When Direct Key Agreement or Key Agreement with Key Wrapping are
839	        employed, use the key agreement algorithm to compute the value
840	        of the agreed upon key.  When Direct Key Agreement is employed,
841	        let the Content Encryption Key (CEK) be the agreed upon key.
842	        When Key Agreement with Key Wrapping is employed, the agreed
843	        upon key will be used to decrypt the JWE Encrypted Key.

845	   10.  When Key Wrapping, Key Encryption, or Key Agreement with Key
846	        Wrapping are employed, decrypt the JWE Encrypted Key to produce
847	        the Content Encryption Key (CEK).  The CEK MUST have a length
848	        equal to that required for the content encryption algorithm.
849	        Note that when there are multiple recipients, each recipient
850	        will only be able decrypt any JWE Encrypted Key values that were
851	        encrypted to a key in that recipient's possession.  It is
852	        therefore normal to only be able to decrypt one of the per-
853	        recipient JWE Encrypted Key values to obtain the CEK value.  To
854	        mitigate the attacks described in RFC 3218 [RFC3218], the
855	        recipient MUST NOT distinguish between format, padding, and
856	        length errors of encrypted keys.  It is strongly recommended, in
857	        the event of receiving an improperly formatted key, that the
858	        receiver substitute a randomly generated CEK and proceed to the
859	        next step, to mitigate timing attacks.

861	   11.  Otherwise, when Direct Key Agreement or Direct Encryption are
862	        employed, verify that the JWE Encrypted Key value is empty octet
863	        sequence.

865	   12.  When Direct Encryption is employed, let the Content Encryption
866	        Key (CEK) be the shared symmetric key.

868	   13.  If the JWE JSON Serialization is being used, repeat this process
869	        for each recipient contained in the representation until the CEK
870	        value has been determined.

872	   14.  Let the Additional Authenticated Data encryption parameter be
873	        the octets of the ASCII representation of the Encoded JWE Header
874	        value.  However if a top-level "aad" member is present when
875	        using the JWE JSON Serialization, instead let the Additional
876	        Authenticated Data encryption parameter be the octets of the
877	        ASCII representation of the concatenation of the Encoded JWE
878	        Header value, a period ('.') character, and the "aad" field
879	        value.

881	   15.  Decrypt the JWE Ciphertext using the CEK, the JWE Initialization
882	        Vector, the Additional Authenticated Data value, and the JWE
883	        Authentication Tag (which is the Authentication Tag input to the
884	        calculation) using the specified content encryption algorithm,
885	        returning the decrypted plaintext and verifying the JWE
886	        Authentication Tag in the manner specified for the algorithm,
887	        rejecting the input without emitting any decrypted output if the
888	        JWE Authentication Tag is incorrect.

890	   16.  Uncompress the decrypted plaintext if a "zip" parameter was
891	        included.

893	   17.  Output the resulting Plaintext.

895	5.3.  String Comparison Rules

897	   Processing a JWE inevitably requires comparing known strings to
898	   values in JSON objects.  For example, in checking what the encryption
899	   method is, the Unicode string encoding "enc" will be checked against
900	   the member names in the JWE Header to see if there is a matching
901	   Header Parameter Name.

903	   Comparisons between JSON strings and other Unicode strings MUST be
904	   performed by comparing Unicode code points without normalization as
905	   specified in the String Comparison Rules in Section 5.3 of [JWS].

907	6.  Key Identification

909	   It is necessary for the recipient of a JWE to be able to determine
910	   the key that was employed for the encryption operation.  The key
911	   employed can be identified using the Header Parameter methods
912	   described in Section 4.1 or can be identified using methods that are
913	   outside the scope of this specification.  Specifically, the Header
914	   Parameters "jku", "jwk", "x5u", "x5t", "x5c", and "kid" can be used
915	   to identify the key used.  These header parameters MUST be integrity
916	   protected if the information about the key that they convey is to be
917	   considered trusted.

919	   The sender SHOULD include sufficient information in the Header
920	   Parameters to identify the key used, unless the application uses
921	   another means or convention to determine the key used.  Validation of
922	   the encrypted content fails when the key used cannot be determined.

924	   The means of exchanging any shared symmetric keys used is outside the
925	   scope of this specification.

927	7.  Serializations

929	   JWE objects use one of two serializations, the JWE Compact
930	   Serialization or the JWE JSON Serialization.  The JWE Compact
931	   Serialization is mandatory to implement.  Implementation of the JWE
932	   JSON Serialization is OPTIONAL.

934	7.1.  JWE Compact Serialization

936	   The JWE Compact Serialization represents encrypted content as a
937	   compact URL-safe string.  This string is the concatenation of the
938	   Encoded JWE Header, the Encoded JWE Encrypted Key, the Encoded JWE
939	   Initialization Vector, the Encoded JWE Ciphertext, and the Encoded
940	   JWE Authentication Tag in that order, with the five strings being
941	   separated by four period ('.') characters.  Only one recipient is
942	   supported by the JWE Compact Serialization.

944	7.2.  JWE JSON Serialization

946	   The JWE JSON Serialization represents encrypted content as a JSON
947	   object.  Unlike the JWE Compact Serialization, content using the JWE
948	   JSON Serialization can be encrypted to more than one recipient.

950	   The representation is closely related to that used in the JWE Compact
951	   Serialization, with the following differences for the JWE JSON
952	   Serialization:

954	   o  Values in the JWE JSON Serialization are represented as members of
955	      a JSON object, rather than as base64url encoded strings separated
956	      by period ('.') characters.  (However binary values and values
957	      that are integrity protected are still base64url encoded.)

959	   o  The Encoded JWE Header value, if non-empty, is stored in the
960	      "protected" member.

962	   o  The Encoded JWE Initialization Vector value, if non-empty, is
963	      stored in the "iv" member.

965	   o  The Encoded JWE Ciphertext value is stored in the "ciphertext"
966	      member.

968	   o  The Encoded JWE Authentication Tag value, if non-empty, is stored
969	      in the "tag" member.

971	   o  The JWE can be encrypted to multiple recipients, rather than just
972	      one.  A JSON array in the "recipients" member is used to hold
973	      values that are specific to a particular recipient, with one array
974	      element per recipient represented.  These array elements are JSON
975	      objects.

977	   o  Each Encoded JWE Encrypted Key value, if non-empty, is stored in
978	      the "encrypted_key" member of a JSON object that is an element of
979	      the "recipients" array.

981	   o  Some header parameter values, such as the "alg" value and
982	      parameters used for selecting keys, can also differ for different
983	      recipient computations.  Per-recipient header parameter values, if
984	      present, are stored in the "header" members of the same JSON
985	      objects that are elements of the "recipients" array.

987	   o  Some header parameters, including the "alg" parameter, can be
988	      shared among all recipient computations.  These header parameters
989	      are stored in either of two top-level member(s) of the JSON
990	      object: the "protected" member and the "unprotected" member.  The
991	      values of these members, if present, are JSON Text Objects
992	      containing Header Parameters.

994	   o  Not all header parameters are integrity protected.  The shared
995	      header parameters in the "protected" member are integrity
996	      protected, and are base64url encoded.  The per-recipient header
997	      parameters in the "header" array element members and the shared
998	      header parameters in the "unprotected" member are not integrity
999	      protected.  These JSON Text Objects containing header parameters
1000	      that are not integrity protected are not base64url encoded.

1002	   o  The header parameter values used when creating or validating per-
1003	      recipient Ciphertext and Authentication Tag values are the union
1004	      of the three sets of header parameter values that may be present:
1005	      (1) the per-recipient values in the "header" member of the
1006	      recipient's array element, (2) the shared integrity-protected
1007	      values in the "protected" member, and (3) the shared non-
1008	      integrity-protected values in the "unprotected" member.  The union
1009	      of these sets of header parameters comprises the JWE Header.  The
1010	      header parameter names in the three locations MUST be disjoint.

1012	   o  An "aad" (Additional Authenticated Data) member can be included to
1013	      supply a base64url encoded value to be integrity protected but not
1014	      encrypted.  (Note that this can also be achieved when using either
1015	      serialization by including the AAD value as a protected header
1016	      parameter value, but at the cost of the value being double
1017	      base64url encoded.)

1019	   o  The "recipients" array MUST always be present, even if the array
1020	      elements contain only the empty JSON object "{}" (which can happen
1021	      when all header parameter values are shared between all recipients
1022	      and when no encrypted key is used, such as when doing Direct
1023	      Encryption).

1025	   The syntax of a JWE using the JWE JSON Serialization is as follows:

1027	     {"protected":<integrity-protected shared header contents>",
1028	      "unprotected":<non-integrity-protected shared header contents>",
1029	      "recipients":[
1030	       {"header":"<per-recipient unprotected header 1 contents>",
1031	        "encrypted_key":"<encrypted key 1 contents>"},
1032	       ...
1033	       {"header":"<per-recipient unprotected header N contents>",
1034	        "encrypted_key":"<encrypted key N contents>"}],
1035	      "aad":"<additional authenticated data contents>",
1036	      "iv":"<initialization vector contents>",
1037	      "ciphertext":"<ciphertext contents>",
1038	      "tag":"<authentication tag contents>"
1039	     }

1041	   Of these members, only the "ciphertext" member MUST be present.  The
1042	   "iv", "tag", and "encrypted_key" members MUST be present when
1043	   corresponding JWE Initialization Vector, JWE Authentication Tag, and
1044	   JWE Encrypted Key values are non-empty.  The "recipients" member MUST
1045	   be present when any "header" or "encrypted_key" members are needed
1046	   for recipients.  At least one of the "header", "protected", and
1047	   "unprotected" members MUST be present so that "alg" and "enc" header
1048	   parameter values are conveyed for each recipient computation.

1050	   The contents of the Encoded JWE Encrypted Key, Encoded JWE
1051	   Initialization Vector, Encoded JWE Ciphertext, and Encoded JWE
1052	   Authentication Tag values are exactly as defined in the rest of this
1053	   specification.  They are interpreted and validated in the same
1054	   manner, with each corresponding Encoded JWE Encrypted Key, Encoded
1055	   JWE Initialization Vector, Encoded JWE Ciphertext, Encoded JWE
1056	   Authentication Tag, and set of header parameter values being created
1057	   and validated together.  The JWE Header values used are the union of
1058	   the header parameters in the "protected", "unprotected", and
1059	   corresponding "header" members, as described earlier.

1061	   Each JWE Encrypted Key value is computed using the parameters of the
1062	   corresponding JWE Header value in the same manner as for the JWE
1063	   Compact Serialization.  This has the desirable property that each
1064	   Encoded JWE Encrypted Key value in the "recipients" array is
1065	   identical to the value that would have been computed for the same
1066	   parameter in the JWE Compact Serialization.  Likewise, the JWE
1067	   Ciphertext and JWE Authentication Tag values match those produced for
1068	   the JWE Compact Serialization, provided that the Encoded JWE Header
1069	   value (which represents the integrity-protected header parameter
1070	   values) matches that used in the JWE Compact Serialization.

1072	   All recipients use the same JWE Protected Header, JWE Initialization
1073	   Vector, JWE Ciphertext, and JWE Authentication Tag values, resulting
1074	   in potentially significant space savings if the message is large.
1075	   Therefore, all header parameters that specify the treatment of the
1076	   Plaintext value MUST be the same for all recipients.  This primarily
1077	   means that the "enc" (encryption method) header parameter value in
1078	   the JWE Header for each recipient and any parameters of that
1079	   algorithm MUST be the same.

1081	   See Appendix A.4 for an example of computing a JWE using the JWE JSON
1082	   Serialization.

1084	8.  Distinguishing Between JWS and JWE Objects

1086	   There are several ways of distinguishing whether an object is a JWS
1087	   or JWE object.  All these methods will yield the same result for all
1088	   legal input values.

1090	   o  If the object is using the JWS Compact Serialization or the JWE
1091	      Compact Serialization, the number of base64url encoded segments
1092	      separated by period ('.') characters differs for JWSs and JWEs.
1093	      JWSs have three segments separated by two period ('.') characters.
1094	      JWEs have five segments separated by four period ('.') characters.

1096	   o  If the object is using the JWS JSON Serialization or the JWE JSON
1097	      Serialization, the members used will be different.  JWSs have a
1098	      "signatures" member and JWEs do not.  JWEs have a "recipients"
1099	      member and JWSs do not.

1101	   o  A JWS Header can be distinguished from a JWE header by examining
1102	      the "alg" (algorithm) header parameter value.  If the value
1103	      represents a digital signature or MAC algorithm, or is the value
1104	      "none", it is for a JWS; if it represents a Key Encryption, Key
1105	      Wrapping, Direct Key Agreement, Key Agreement with Key Wrapping,
1106	      or Direct Encryption algorithm, it is for a JWE.

1108	   o  A JWS Header can also be distinguished from a JWE header by
1109	      determining whether an "enc" (encryption method) member exists.
1110	      If the "enc" member exists, it is a JWE; otherwise, it is a JWS.

1112	9.  IANA Considerations

1114	9.1.  Registration of JWE Header Parameter Names

1116	   This specification registers the Header Parameter Names defined in
1117	   Section 4.1 in the IANA JSON Web Signature and Encryption Header
1118	   Parameters registry [JWS].

1120	9.1.1.  Registry Contents

1122	   o  Header Parameter Name: "alg"
1123	   o  Header Parameter Usage Location(s): JWE
1124	   o  Change Controller: IETF
1125	   o  Specification Document(s): Section 4.1.1 of [[ this document ]]

1127	   o  Header Parameter Name: "enc"
1128	   o  Header Parameter Usage Location(s): JWE
1129	   o  Change Controller: IETF
1130	   o  Specification Document(s): Section 4.1.2 of [[ this document ]]

1132	   o  Header Parameter Name: "zip"
1133	   o  Header Parameter Usage Location(s): JWE
1134	   o  Change Controller: IETF
1135	   o  Specification Document(s): Section 4.1.3 of [[ this document ]]

1137	   o  Header Parameter Name: "jku"
1138	   o  Header Parameter Usage Location(s): JWE
1139	   o  Change Controller: IETF
1140	   o  Specification Document(s): Section 4.1.4 of [[ this document ]]

1142	   o  Header Parameter Name: "jwk"
1143	   o  Header Parameter Usage Location(s): JWE
1144	   o  Change Controller: IETF
1145	   o  Specification document(s): Section 4.1.5 of [[ this document ]]

1147	   o  Header Parameter Name: "x5u"
1148	   o  Header Parameter Usage Location(s): JWE
1149	   o  Change Controller: IETF
1150	   o  Specification Document(s): Section 4.1.6 of [[ this document ]]

1152	   o  Header Parameter Name: "x5t"
1153	   o  Header Parameter Usage Location(s): JWE
1154	   o  Change Controller: IETF
1155	   o  Specification Document(s): Section 4.1.7 of [[ this document ]]

1157	   o  Header Parameter Name: "x5c"
1158	   o  Header Parameter Usage Location(s): JWE
1159	   o  Change Controller: IETF
1160	   o  Specification Document(s): Section 4.1.8 of [[ this document ]]

1162	   o  Header Parameter Name: "kid"
1163	   o  Header Parameter Usage Location(s): JWE
1164	   o  Change Controller: IETF
1165	   o  Specification Document(s): Section 4.1.9 of [[ this document ]]

1167	   o  Header Parameter Name: "typ"
1168	   o  Header Parameter Usage Location(s): JWE
1169	   o  Change Controller: IETF
1170	   o  Specification Document(s): Section 4.1.10 of [[ this document ]]

1172	   o  Header Parameter Name: "cty"
1173	   o  Header Parameter Usage Location(s): JWE
1174	   o  Change Controller: IETF
1175	   o  Specification Document(s): Section 4.1.11 of [[ this document ]]

1177	   o  Header Parameter Name: "crit"
1178	   o  Header Parameter Usage Location(s): JWE
1179	   o  Change Controller: IETF
1180	   o  Specification Document(s): Section 4.1.12 of [[ this document ]]

1182	10.  Security Considerations

1184	   All of the security issues faced by any cryptographic application
1185	   must be faced by a JWS/JWE/JWK agent.  Among these issues are
1186	   protecting the user's private and symmetric keys, preventing various
1187	   attacks, and helping the user avoid mistakes such as inadvertently
1188	   encrypting a message for the wrong recipient.  The entire list of
1189	   security considerations is beyond the scope of this document.

1191	   All the security considerations in the JWS specification also apply
1192	   to this specification.  Likewise, all the security considerations in
1193	   XML Encryption 1.1 [W3C.CR-xmlenc-core1-20120313] also apply, other
1194	   than those that are XML specific.

1196	   When decrypting, particular care must be taken not to allow the JWE
1197	   recipient to be used as an oracle for decrypting messages.  RFC 3218
1198	   [RFC3218] should be consulted for specific countermeasures to attacks
1199	   on RSAES-PKCS1-V1_5.  An attacker might modify the contents of the
1200	   "alg" parameter from "RSA-OAEP" to "RSA1_5" in order to generate a
1201	   formatting error that can be detected and used to recover the CEK
1202	   even if RSAES OAEP was used to encrypt the CEK.  It is therefore
1203	   particularly important to report all formatting errors to the CEK,
1204	   Additional Authenticated Data, or ciphertext as a single error when
1205	   the encrypted content is rejected.

1207	11.  References

1209	11.1.  Normative References

1211	   [ECMAScript]
1212	              Ecma International, "ECMAScript Language Specification,
1213	              5.1 Edition", ECMA 262, June 2011.

1215	   [ITU.X690.1994]
1216	              International Telecommunications Union, "Information
1217	              Technology - ASN.1 encoding rules: Specification of Basic
1218	              Encoding Rules (BER), Canonical Encoding Rules (CER) and
1219	              Distinguished Encoding Rules (DER)", ITU-T Recommendation
1220	              X.690, 1994.

1222	   [JWA]      Jones, M., "JSON Web Algorithms (JWA)",
1223	              draft-ietf-jose-json-web-algorithms (work in progress),
1224	              September 2013.

1226	   [JWK]      Jones, M., "JSON Web Key (JWK)",
1227	              draft-ietf-jose-json-web-key (work in progress),
1228	              September 2013.

1230	   [JWS]      Jones, M., Bradley, J., and N. Sakimura, "JSON Web
1231	              Signature (JWS)", draft-ietf-jose-json-web-signature (work
1232	              in progress), September 2013.

1234	   [RFC1421]  Linn, J., "Privacy Enhancement for Internet Electronic
1235	              Mail: Part I: Message Encryption and Authentication
1236	              Procedures", RFC 1421, February 1993.

1238	   [RFC1951]  Deutsch, P., "DEFLATE Compressed Data Format Specification
1239	              version 1.3", RFC 1951, May 1996.

1241	   [RFC2046]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
1242	              Extensions (MIME) Part Two: Media Types", RFC 2046,
1243	              November 1996.

1245	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
1246	              Requirement Levels", BCP 14, RFC 2119, March 1997.

1248	   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

1250	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
1251	              10646", STD 63, RFC 3629, November 2003.

1253	   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
1254	              Resource Identifier (URI): Generic Syntax", STD 66,
1255	              RFC 3986, January 2005.

1257	   [RFC4086]  Eastlake, D., Schiller, J., and S. Crocker, "Randomness
1258	              Requirements for Security", BCP 106, RFC 4086, June 2005.

1260	   [RFC4627]  Crockford, D., "The application/json Media Type for
1261	              JavaScript Object Notation (JSON)", RFC 4627, July 2006.

1263	   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
1264	              Encodings", RFC 4648, October 2006.

1266	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
1267	              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

1269	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1270	              Housley, R., and W. Polk, "Internet X.509 Public Key
1271	              Infrastructure Certificate and Certificate Revocation List
1272	              (CRL) Profile", RFC 5280, May 2008.

1274	   [W3C.CR-xmlenc-core1-20120313]
1275	              Eastlake, D., Reagle, J., Roessler, T., and F. Hirsch,
1276	              "XML Encryption Syntax and Processing Version 1.1", World
1277	              Wide Web Consortium CR CR-xmlenc-core1-20120313,
1278	              March 2012,
1279	              <http://www.w3.org/TR/2012/CR-xmlenc-core1-20120313>.

1281	11.2.  Informative References

1283	   [I-D.mcgrew-aead-aes-cbc-hmac-sha2]
1284	              McGrew, D. and K. Paterson, "Authenticated Encryption with
1285	              AES-CBC and HMAC-SHA",
1286	              draft-mcgrew-aead-aes-cbc-hmac-sha2-01 (work in progress),
1287	              October 2012.

1289	   [I-D.rescorla-jsms]
1290	              Rescorla, E. and J. Hildebrand, "JavaScript Message
1291	              Security Format", draft-rescorla-jsms-00 (work in
1292	              progress), March 2011.

1294	   [JSE]      Bradley, J. and N. Sakimura (editor), "JSON Simple
1295	              Encryption", September 2010.

1297	   [RFC3218]  Rescorla, E., "Preventing the Million Message Attack on
1298	              Cryptographic Message Syntax", RFC 3218, January 2002.

1300	   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
1301	              Unique IDentifier (UUID) URN Namespace", RFC 4122,
1302	              July 2005.

1304	   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
1305	              RFC 5652, September 2009.

1307	Appendix A.  JWE Examples

1309	   This section provides examples of JWE computations.

1311	A.1.  Example JWE using RSAES OAEP and AES GCM

1313	   This example encrypts the plaintext "The true sign of intelligence is
1314	   not knowledge but imagination." to the recipient using RSAES OAEP for
1315	   key encryption and AES GCM for content encryption.  The
1316	   representation of this plaintext is:

1318	   [84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32,
1319	   111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99,
1320	   101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108,
1321	   101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105,
1322	   110, 97, 116, 105, 111, 110, 46]

1324	A.1.1.  JWE Header

1326	   The following example JWE Header declares that:

1328	   o  the Content Encryption Key is encrypted to the recipient using the
1329	      RSAES OAEP algorithm to produce the JWE Encrypted Key and

1331	   o  the Plaintext is encrypted using the AES GCM algorithm with a 256
1332	      bit key to produce the Ciphertext.

1334	     {"alg":"RSA-OAEP","enc":"A256GCM"}

1336	A.1.2.  Encoded JWE Header

1338	   Base64url encoding the octets of the UTF-8 representation of the JWE
1339	   Header yields this Encoded JWE Header value:

1341	     eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ

1343	A.1.3.  Content Encryption Key (CEK)

1345	   Generate a 256 bit random Content Encryption Key (CEK).  In this
1346	   example, the value is:

1348	   [177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
1349	   212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
1350	   234, 64, 252]

1352	A.1.4.  Key Encryption

1354	   Encrypt the CEK with the recipient's public key using the RSAES OAEP
1355	   algorithm to produce the JWE Encrypted Key. This example uses the RSA
1356	   key represented in JSON Web Key [JWK] format below (with line breaks
1357	   for display purposes only):

1359	     {"kty":"RSA",
1360	      "n":"oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW
1361	           cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S
1362	           psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a
1363	           sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS
1364	           tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj
1365	           YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw",
1366	      "e":"AQAB",
1367	      "d":"kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N
1368	           WV5KntaEeXS1j82E375xxhWMHXyvjYecPT9fpwR_M9gV8n9Hrh2anTpTD9
1369	           3Dt62ypW3yDsJzBnTnrYu1iwWRgBKrEYY46qAZIrA2xAwnm2X7uGR1hghk
1370	           qDp0Vqj3kbSCz1XyfCs6_LehBwtxHIyh8Ripy40p24moOAbgxVw3rxT_vl
1371	           t3UVe4WO3JkJOzlpUf-KTVI2Ptgm-dARxTEtE-id-4OJr0h-K-VFs3VSnd
1372	           VTIznSxfyrj8ILL6MG_Uv8YAu7VILSB3lOW085-4qE3DzgrTjgyQ"
1373	     }

1375	   The resulting JWE Encrypted Key value is:

1377	   [56, 163, 154, 192, 58, 53, 222, 4, 105, 218, 136, 218, 29, 94, 203,
1378	   22, 150, 92, 129, 94, 211, 232, 53, 89, 41, 60, 138, 56, 196, 216,
1379	   82, 98, 168, 76, 37, 73, 70, 7, 36, 8, 191, 100, 136, 196, 244, 220,
1380	   145, 158, 138, 155, 4, 117, 141, 230, 199, 247, 173, 45, 182, 214,
1381	   74, 177, 107, 211, 153, 11, 205, 196, 171, 226, 162, 128, 171, 182,
1382	   13, 237, 239, 99, 193, 4, 91, 219, 121, 223, 107, 167, 61, 119, 228,
1383	   173, 156, 137, 134, 200, 80, 219, 74, 253, 56, 185, 91, 177, 34, 158,
1384	   89, 154, 205, 96, 55, 18, 138, 43, 96, 218, 215, 128, 124, 75, 138,
1385	   243, 85, 25, 109, 117, 140, 26, 155, 249, 67, 167, 149, 231, 100, 6,
1386	   41, 65, 214, 251, 232, 87, 72, 40, 182, 149, 154, 168, 31, 193, 126,
1387	   215, 89, 28, 111, 219, 125, 182, 139, 235, 195, 197, 23, 234, 55, 58,
1388	   63, 180, 68, 202, 206, 149, 75, 205, 248, 176, 67, 39, 178, 60, 98,
1389	   193, 32, 238, 122, 96, 158, 222, 57, 183, 111, 210, 55, 188, 215,
1390	   206, 180, 166, 150, 166, 106, 250, 55, 229, 72, 40, 69, 214, 216,
1391	   104, 23, 40, 135, 212, 28, 127, 41, 80, 175, 174, 168, 115, 171, 197,
1392	   89, 116, 92, 103, 246, 83, 216, 182, 176, 84, 37, 147, 35, 45, 219,
1393	   172, 99, 226, 233, 73, 37, 124, 42, 72, 49, 242, 35, 127, 184, 134,
1394	   117, 114, 135, 206]

1396	A.1.5.  Encoded JWE Encrypted Key

1398	   Base64url encode the JWE Encrypted Key to produce the Encoded JWE
1399	   Encrypted Key. This result (with line breaks for display purposes
1400	   only) is:

1402	     OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe
1403	     ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb
1404	     Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV
1405	     mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8
1406	     1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
1407	     6UklfCpIMfIjf7iGdXKHzg

1409	A.1.6.  Initialization Vector

1411	   Generate a random 96 bit JWE Initialization Vector.  In this example,
1412	   the value is:

1414	   [227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219]

1416	   Base64url encoding this value yields this Encoded JWE Initialization
1417	   Vector value:

1419	     48V1_ALb6US04U3b

1421	A.1.7.  Additional Authenticated Data

1423	   Let the Additional Authenticated Data encryption parameter be the
1424	   octets of the ASCII representation of the Encoded JWE Header value.
1425	   This AAD value is:

1427	   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
1428	   116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73,
1429	   54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81]

1431	A.1.8.  Plaintext Encryption

1433	   Encrypt the Plaintext with AES GCM using the CEK as the encryption
1434	   key, the JWE Initialization Vector, and the Additional Authenticated
1435	   Data value above, requesting a 128 bit Authentication Tag output.
1436	   The resulting Ciphertext is:

1438	   [229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122,
1439	   233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111,
1440	   104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32,
1441	   123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205,
1442	   160, 109, 64, 63, 192]

1444	   The resulting Authentication Tag value is:

1446	   [92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91,
1447	   210, 145]

1449	A.1.9.  Encoded JWE Ciphertext

1451	   Base64url encode the Ciphertext to create the Encoded JWE Ciphertext.
1452	   This result (with line breaks for display purposes only) is:

1454	     5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
1455	     SdiwkIr3ajwQzaBtQD_A

1457	A.1.10.  Encoded JWE Authentication Tag

1459	   Base64url encode the Authentication Tag to create the Encoded JWE
1460	   Authentication Tag. This result is:

1462	     XFBoMYUZodetZdvTiFvSkQ

1464	A.1.11.  Complete Representation

1466	   Assemble the final representation: The Compact Serialization of this
1467	   result is the concatenation of the Encoded JWE Header, the Encoded
1468	   JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded
1469	   JWE Ciphertext, and the Encoded JWE Authentication Tag in that order,
1470	   with the five strings being separated by four period ('.')
1471	   characters.

1473	   The final result in this example (with line breaks for display
1474	   purposes only) is:

1476	     eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.
1477	     OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe
1478	     ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb
1479	     Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV
1480	     mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8
1481	     1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi
1482	     6UklfCpIMfIjf7iGdXKHzg.
1483	     48V1_ALb6US04U3b.
1484	     5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
1485	     SdiwkIr3ajwQzaBtQD_A.
1486	     XFBoMYUZodetZdvTiFvSkQ

1488	A.1.12.  Validation

1490	   This example illustrates the process of creating a JWE with RSAES
1491	   OAEP for key encryption and AES GCM for content encryption.  These
1492	   results can be used to validate JWE decryption implementations for
1493	   these algorithms.  Note that since the RSAES OAEP computation
1494	   includes random values, the encryption results above will not be
1495	   completely reproducible.  However, since the AES GCM computation is
1496	   deterministic, the JWE Encrypted Ciphertext values will be the same
1497	   for all encryptions performed using these inputs.

1499	A.2.  Example JWE using RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256

1501	   This example encrypts the plaintext "Live long and prosper." to the
1502	   recipient using RSAES-PKCS1-V1_5 for key encryption and
1503	   AES_128_CBC_HMAC_SHA_256 for content encryption.  The representation
1504	   of this plaintext is:

1506	   [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
1507	   112, 114, 111, 115, 112, 101, 114, 46]

1509	A.2.1.  JWE Header

1511	   The following example JWE Header (with line breaks for display
1512	   purposes only) declares that:

1514	   o  the Content Encryption Key is encrypted to the recipient using the
1515	      RSAES-PKCS1-V1_5 algorithm to produce the JWE Encrypted Key and

1517	   o  the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256
1518	      algorithm to produce the Ciphertext.

1520	     {"alg":"RSA1_5","enc":"A128CBC-HS256"}

1522	A.2.2.  Encoded JWE Header

1524	   Base64url encoding the octets of the UTF-8 representation of the JWE
1525	   Header yields this Encoded JWE Header value:

1527	     eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0

1529	A.2.3.  Content Encryption Key (CEK)

1531	   Generate a 256 bit random Content Encryption Key (CEK).  In this
1532	   example, the key value is:

1534	   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
1535	   206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
1536	   44, 207]

1538	A.2.4.  Key Encryption

1540	   Encrypt the CEK with the recipient's public key using the RSAES-
1541	   PKCS1-V1_5 algorithm to produce the JWE Encrypted Key. This example
1542	   uses the RSA key represented in JSON Web Key [JWK] format below (with
1543	   line breaks for display purposes only):

1545	     {"kty":"RSA",
1546	      "n":"sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl
1547	           UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre
1548	           cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_
1549	           7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI
1550	           Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU
1551	           7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw",
1552	      "e":"AQAB",
1553	      "d":"VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq
1554	           1OPThh_J6MUD8Z35wky9b8eEO0pwNS8xlh1lOFRRBoNqDIKVOku0aZb-ry
1555	           nq8cxjDTLZQ6Fz7jSjR1Klop-YKaUHc9GsEofQqYruPhzSA-QgajZGPbE_
1556	           0ZaVDJHfyd7UUBUKunFMScbflYAAOYJqVIVwaYR5zWEEceUjNnTNo_CVSj
1557	           -VvXLO5VZfCUAVLgW4dpf1SrtZjSt34YLsRarSb127reG_DUwg9Ch-Kyvj
1558	           T1SkHgUWRVGcyly7uvVGRSDwsXypdrNinPA4jlhoNdizK2zF2CWQ"
1559	     }

1561	   The resulting JWE Encrypted Key value is:

1563	   [80, 104, 72, 58, 11, 130, 236, 139, 132, 189, 255, 205, 61, 86, 151,
1564	   176, 99, 40, 44, 233, 176, 189, 205, 70, 202, 169, 72, 40, 226, 181,
1565	   156, 223, 120, 156, 115, 232, 150, 209, 145, 133, 104, 112, 237, 156,
1566	   116, 250, 65, 102, 212, 210, 103, 240, 177, 61, 93, 40, 71, 231, 223,
1567	   226, 240, 157, 15, 31, 150, 89, 200, 215, 198, 203, 108, 70, 117, 66,
1568	   212, 238, 193, 205, 23, 161, 169, 218, 243, 203, 128, 214, 127, 253,
1569	   215, 139, 43, 17, 135, 103, 179, 220, 28, 2, 212, 206, 131, 158, 128,
1570	   66, 62, 240, 78, 186, 141, 125, 132, 227, 60, 137, 43, 31, 152, 199,
1571	   54, 72, 34, 212, 115, 11, 152, 101, 70, 42, 219, 233, 142, 66, 151,
1572	   250, 126, 146, 141, 216, 190, 73, 50, 177, 146, 5, 52, 247, 28, 197,
1573	   21, 59, 170, 247, 181, 89, 131, 241, 169, 182, 246, 99, 15, 36, 102,
1574	   166, 182, 172, 197, 136, 230, 120, 60, 58, 219, 243, 149, 94, 222,
1575	   150, 154, 194, 110, 227, 225, 112, 39, 89, 233, 112, 207, 211, 241,
1576	   124, 174, 69, 221, 179, 107, 196, 225, 127, 167, 112, 226, 12, 242,
1577	   16, 24, 28, 120, 182, 244, 213, 244, 153, 194, 162, 69, 160, 244,
1578	   248, 63, 165, 141, 4, 207, 249, 193, 79, 131, 0, 169, 233, 127, 167,
1579	   101, 151, 125, 56, 112, 111, 248, 29, 232, 90, 29, 147, 110, 169,
1580	   146, 114, 165, 204, 71, 136, 41, 252]

1582	A.2.5.  Encoded JWE Encrypted Key

1584	   Base64url encode the JWE Encrypted Key to produce the Encoded JWE
1585	   Encrypted Key. This result (with line breaks for display purposes
1586	   only) is:

1588	     UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm
1589	     1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7Pc
1590	     HALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIF
1591	     NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8
1592	     rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv
1593	     -B3oWh2TbqmScqXMR4gp_A

1595	A.2.6.  Initialization Vector

1597	   Generate a random 128 bit JWE Initialization Vector.  In this
1598	   example, the value is:

1600	   [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104,
1601	   101]

1603	   Base64url encoding this value yields this Encoded JWE Initialization
1604	   Vector value:

1606	     AxY8DCtDaGlsbGljb3RoZQ

1608	A.2.7.  Additional Authenticated Data

1610	   Let the Additional Authenticated Data encryption parameter be the
1611	   octets of the ASCII representation of the Encoded JWE Header value.
1612	   This AAD value is:

1614	   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
1615	   120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105,
1616	   74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85,
1617	   50, 73, 110, 48]

1619	A.2.8.  Plaintext Encryption

1621	   Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as
1622	   the encryption key, the JWE Initialization Vector, and the Additional
1623	   Authenticated Data value above.  The steps for doing this using the
1624	   values from Appendix A.3 are detailed in Appendix B.  The resulting
1625	   Ciphertext is:

1627	   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
1628	   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
1629	   112, 56, 102]
1630	   The resulting Authentication Tag value is:

1632	   [246, 17, 244, 190, 4, 95, 98, 3, 231, 0, 115, 157, 242, 203, 100,
1633	   191]

1635	A.2.9.  Encoded JWE Ciphertext

1637	   Base64url encode the Ciphertext to create the Encoded JWE Ciphertext.
1638	   This result is:

1640	     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY

1642	A.2.10.  Encoded JWE Authentication Tag

1644	   Base64url encode the Authentication Tag to create the Encoded JWE
1645	   Authentication Tag. This result is:

1647	     9hH0vgRfYgPnAHOd8stkvw

1649	A.2.11.  Complete Representation

1651	   Assemble the final representation: The Compact Serialization of this
1652	   result is the concatenation of the Encoded JWE Header, the Encoded
1653	   JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded
1654	   JWE Ciphertext, and the Encoded JWE Authentication Tag in that order,
1655	   with the five strings being separated by four period ('.')
1656	   characters.

1658	   The final result in this example (with line breaks for display
1659	   purposes only) is:

1661	     eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.
1662	     UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm
1663	     1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7Pc
1664	     HALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIF
1665	     NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8
1666	     rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv
1667	     -B3oWh2TbqmScqXMR4gp_A.
1668	     AxY8DCtDaGlsbGljb3RoZQ.
1669	     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.
1670	     9hH0vgRfYgPnAHOd8stkvw

1672	A.2.12.  Validation

1674	   This example illustrates the process of creating a JWE with RSAES-
1675	   PKCS1-V1_5 for key encryption and AES_CBC_HMAC_SHA2 for content
1676	   encryption.  These results can be used to validate JWE decryption
1677	   implementations for these algorithms.  Note that since the RSAES-
1678	   PKCS1-V1_5 computation includes random values, the encryption results
1679	   above will not be completely reproducible.  However, since the AES
1680	   CBC computation is deterministic, the JWE Encrypted Ciphertext values
1681	   will be the same for all encryptions performed using these inputs.

1683	A.3.  Example JWE using AES Key Wrap and AES_128_CBC_HMAC_SHA_256

1685	   This example encrypts the plaintext "Live long and prosper." to the
1686	   recipient using AES Key Wrap for key encryption and AES GCM for
1687	   content encryption.  The representation of this plaintext is:

1689	   [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
1690	   112, 114, 111, 115, 112, 101, 114, 46]

1692	A.3.1.  JWE Header

1694	   The following example JWE Header declares that:

1696	   o  the Content Encryption Key is encrypted to the recipient using the
1697	      AES Key Wrap algorithm with a 128 bit key to produce the JWE
1698	      Encrypted Key and

1700	   o  the Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256
1701	      algorithm to produce the Ciphertext.

1703	     {"alg":"A128KW","enc":"A128CBC-HS256"}

1705	A.3.2.  Encoded JWE Header

1707	   Base64url encoding the octets of the UTF-8 representation of the JWE
1708	   Header yields this Encoded JWE Header value:

1710	     eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0

1712	A.3.3.  Content Encryption Key (CEK)

1714	   Generate a 256 bit random Content Encryption Key (CEK).  In this
1715	   example, the value is:

1717	   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
1718	   206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
1719	   44, 207]

1721	A.3.4.  Key Encryption

1723	   Encrypt the CEK with the shared symmetric key using the AES Key Wrap
1724	   algorithm to produce the JWE Encrypted Key. This example uses the
1725	   symmetric key represented in JSON Web Key [JWK] format below:

1727	     {"kty":"oct",
1728	      "k":"GawgguFyGrWKav7AX4VKUg"
1729	     }

1731	   The resulting JWE Encrypted Key value is:

1733	   [232, 160, 123, 211, 183, 76, 245, 132, 200, 128, 123, 75, 190, 216,
1734	   22, 67, 201, 138, 193, 186, 9, 91, 122, 31, 246, 90, 28, 139, 57, 3,
1735	   76, 124, 193, 11, 98, 37, 173, 61, 104, 57]

1737	A.3.5.  Encoded JWE Encrypted Key

1739	   Base64url encode the JWE Encrypted Key to produce the Encoded JWE
1740	   Encrypted Key. This result is:

1742	     6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ

1744	A.3.6.  Initialization Vector

1746	   Generate a random 128 bit JWE Initialization Vector.  In this
1747	   example, the value is:

1749	   [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104,
1750	   101]

1752	   Base64url encoding this value yields this Encoded JWE Initialization
1753	   Vector value:

1755	     AxY8DCtDaGlsbGljb3RoZQ

1757	A.3.7.  Additional Authenticated Data

1759	   Let the Additional Authenticated Data encryption parameter be the
1760	   octets of the ASCII representation of the Encoded JWE Header value.
1761	   This AAD value is:

1763	   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
1764	   83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
1765	   77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
1766	   110, 48]

1768	A.3.8.  Plaintext Encryption

1770	   Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as
1771	   the encryption key, the JWE Initialization Vector, and the Additional
1772	   Authenticated Data value above.  The steps for doing this using the
1773	   values from this example are detailed in Appendix B.  The resulting
1774	   Ciphertext is:

1776	   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
1777	   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
1778	   112, 56, 102]

1780	   The resulting Authentication Tag value is:

1782	   [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
1783	   194, 85]

1785	A.3.9.  Encoded JWE Ciphertext

1787	   Base64url encode the Ciphertext to create the Encoded JWE Ciphertext.
1788	   This result is:

1790	     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY

1792	A.3.10.  Encoded JWE Authentication Tag

1794	   Base64url encode the Authentication Tag to create the Encoded JWE
1795	   Authentication Tag. This result is:

1797	     U0m_YmjN04DJvceFICbCVQ

1799	A.3.11.  Complete Representation

1801	   Assemble the final representation: The Compact Serialization of this
1802	   result is the concatenation of the Encoded JWE Header, the Encoded
1803	   JWE Encrypted Key, the Encoded JWE Initialization Vector, the Encoded
1804	   JWE Ciphertext, and the Encoded JWE Authentication Tag in that order,
1805	   with the five strings being separated by four period ('.')
1806	   characters.

1808	   The final result in this example (with line breaks for display
1809	   purposes only) is:

1811	     eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.
1812	     6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ.
1813	     AxY8DCtDaGlsbGljb3RoZQ.
1814	     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.
1815	     U0m_YmjN04DJvceFICbCVQ

1817	A.3.12.  Validation

1819	   This example illustrates the process of creating a JWE with AES Key
1820	   Wrap for key encryption and AES GCM for content encryption.  These
1821	   results can be used to validate JWE decryption implementations for
1822	   these algorithms.  Also, since both the AES Key Wrap and AES GCM
1823	   computations are deterministic, the resulting JWE value will be the
1824	   same for all encryptions performed using these inputs.  Since the
1825	   computation is reproducible, these results can also be used to
1826	   validate JWE encryption implementations for these algorithms.

1828	A.4.  Example JWE Using JWE JSON Serialization

1830	   This section contains an example using the JWE JSON Serialization.
1831	   This example demonstrates the capability for encrypting the same
1832	   plaintext to multiple recipients.

1834	   Two recipients are present in this example.  The algorithm and key
1835	   used for the first recipient are the same as that used in
1836	   Appendix A.2.  The algorithm and key used for the second recipient
1837	   are the same as that used in Appendix A.3.  The resulting JWE
1838	   Encrypted Key values are therefore the same; those computations are
1839	   not repeated here.

1841	   The Plaintext, the Content Encryption Key (CEK), Initialization
1842	   Vector, and JWE Protected Header are shared by all recipients (which
1843	   must be the case, since the Ciphertext and Authentication Tag are
1844	   also shared).

1846	A.4.1.  JWE Per-Recipient Unprotected Headers

1848	   The first recipient uses the RSAES-PKCS1-V1_5 algorithm to encrypt
1849	   the Content Encryption Key (CEK).  The second uses AES Key Wrap to
1850	   encrypt the CEK.  Key ID values are supplied for both keys.  The two
1851	   per-recipient header values used to represent these algorithms and
1852	   Key IDs are:

1854	     {"alg":"RSA1_5","kid":"2011-04-29"}

1856	   and:

1858	     {"alg":"A128KW","kid":"7"}

1860	A.4.2.  JWE Protected Header

1862	   The Plaintext is encrypted using the AES_128_CBC_HMAC_SHA_256
1863	   algorithm to produce the common JWE Ciphertext and JWE Authentication
1864	   Tag values.  The JWE Protected Header value representing this is:

1866	     {"enc":"A128CBC-HS256"}

1868	   Base64url encoding the octets of the UTF-8 representation of the JWE
1869	   Protected Header yields this Encoded JWE Protected Header value:

1871	     eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0

1873	A.4.3.  JWE Unprotected Header

1875	   This JWE uses the "jku" header parameter to reference a JWK Set. This
1876	   is represented in the following JWE Unprotected Header value as:

1878	     {"jku":"https://server.example.com/keys.jwks"}

1880	A.4.4.  Complete JWE Header Values

1882	   Combining the per-recipient, protected, and unprotected header values
1883	   supplied, the JWE Header values used for the first and second
1884	   recipient respectively are:

1886	     {"alg":"RSA1_5",
1887	      "kid":"2011-04-29",
1888	      "enc":"A128CBC-HS256",
1889	      "jku":"https://server.example.com/keys.jwks"}

1891	   and:

1893	     {"alg":"A128KW",
1894	      "kid":"7",
1895	      "enc":"A128CBC-HS256",
1896	      "jku":"https://server.example.com/keys.jwks"}

1898	A.4.5.  Additional Authenticated Data

1900	   Let the Additional Authenticated Data encryption parameter be the
1901	   octets of the ASCII representation of the Encoded JWE Protected
1902	   Header value.  This AAD value is:

1904	   [101, 121, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66, 77, 84, 73,
1905	   52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73, 110, 48]

1907	A.4.6.  Plaintext Encryption

1909	   Encrypt the Plaintext with AES_128_CBC_HMAC_SHA_256 using the CEK as
1910	   the encryption key, the JWE Initialization Vector, and the Additional
1911	   Authenticated Data value above.  The steps for doing this using the
1912	   values from Appendix A.3 are detailed in Appendix B.  The resulting
1913	   Ciphertext is:

1915	   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
1916	   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
1917	   112, 56, 102]

1919	   The resulting Authentication Tag value is:

1921	   [51, 63, 149, 60, 252, 148, 225, 25, 92, 185, 139, 245, 35, 2, 47,
1922	   207]

1924	A.4.7.  Encoded JWE Ciphertext

1926	   Base64url encode the Ciphertext to create the Encoded JWE Ciphertext.
1927	   This result is:

1929	     KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY

1931	A.4.8.  Encoded JWE Authentication Tag

1933	   Base64url encode the Authentication Tag to create the Encoded JWE
1934	   Authentication Tag. This result is:

1936	     Mz-VPPyU4RlcuYv1IwIvzw

1938	A.4.9.  Complete JWE JSON Serialization Representation

1940	   The complete JSON Web Encryption JSON Serialization for these values
1941	   is as follows (with line breaks for display purposes only):

1943	     {"protected":
1944	       "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0",
1945	      "unprotected":
1946	       {"jku":"https://server.example.com/keys.jwks"},
1947	      "recipients":[
1948	       {"header":
1949	         {"alg":"RSA1_5"},
1950	        "encrypted_key":
1951	         "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-
1952	          kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx
1953	          GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3
1954	          YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPh
1955	          cCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPg
1956	          wCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A"},
1957	       {"header":
1958	         {"alg":"A128KW"},
1959	        "encrypted_key":
1960	         "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"}],
1961	      "iv":
1962	       "AxY8DCtDaGlsbGljb3RoZQ",
1963	      "ciphertext":
1964	       "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY",
1965	      "tag":
1966	       "Mz-VPPyU4RlcuYv1IwIvzw"
1967	     }

1969	Appendix B.  Example AES_128_CBC_HMAC_SHA_256 Computation

1971	   This example shows the steps in the AES_128_CBC_HMAC_SHA_256
1972	   authenticated encryption computation using the values from the
1973	   example in Appendix A.3.  As described where this algorithm is
1974	   defined in Sections 4.8 and 4.8.3 of JWA, the AES_CBC_HMAC_SHA2
1975	   family of algorithms are implemented using Advanced Encryption
1976	   Standard (AES) in Cipher Block Chaining (CBC) mode with PKCS #5
1977	   padding to perform the encryption and an HMAC SHA-2 function to
1978	   perform the integrity calculation - in this case, HMAC SHA-256.

1980	B.1.  Extract MAC_KEY and ENC_KEY from Key

1982	   The 256 bit AES_128_CBC_HMAC_SHA_256 key K used in this example is:

1984	   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
1985	   206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
1986	   44, 207]

1988	   Use the first 128 bits of this key as the HMAC SHA-256 key MAC_KEY,
1989	   which is:

1991	   [4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
1992	   206]

1994	   Use the last 128 bits of this key as the AES CBC key ENC_KEY, which
1995	   is:

1997	   [107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44,
1998	   207]

2000	   Note that the MAC key comes before the encryption key in the input
2001	   key K; this is in the opposite order of the algorithm names in the
2002	   identifiers "AES_128_CBC_HMAC_SHA_256" and "A128CBC-HS256".

2004	B.2.  Encrypt Plaintext to Create Ciphertext

2006	   Encrypt the Plaintext with AES in Cipher Block Chaining (CBC) mode
2007	   using PKCS #5 padding using the ENC_KEY above.  The Plaintext in this
2008	   example is:

2010	   [76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
2011	   112, 114, 111, 115, 112, 101, 114, 46]

2013	   The encryption result is as follows, which is the Ciphertext output:

2015	   [40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
2016	   75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
2017	   112, 56, 102]

2019	B.3.  64 Bit Big Endian Representation of AAD Length

2021	   The Additional Authenticated Data (AAD) in this example is:

2023	   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
2024	   83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
2025	   77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
2026	   110, 48]

2028	   This AAD is 51 bytes long, which is 408 bits long.  The octet string
2029	   AL, which is the number of bits in AAD expressed as a big endian 64
2030	   bit unsigned integer is:

2032	   [0, 0, 0, 0, 0, 0, 1, 152]

2034	B.4.  Initialization Vector Value

2036	   The Initialization Vector value used in this example is:

2038	   [3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104,
2039	   101]

2041	B.5.  Create Input to HMAC Computation

2043	   Concatenate the AAD, the Initialization Vector, the Ciphertext, and
2044	   the AL value.  The result of this concatenation is:

2046	   [101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
2047	   83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
2048	   77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
2049	   110, 48, 3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111,
2050	   116, 104, 101, 40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24,
2051	   152, 230, 6, 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215,
2052	   104, 143, 112, 56, 102, 0, 0, 0, 0, 0, 0, 1, 152]

2054	B.6.  Compute HMAC Value

2056	   Compute the HMAC SHA-256 of the concatenated value above.  This
2057	   result M is:

2059	   [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
2060	   194, 85, 9, 84, 229, 201, 219, 135, 44, 252, 145, 102, 179, 140, 105,
2061	   86, 229, 116]

2063	B.7.  Truncate HMAC Value to Create Authentication Tag

2065	   Use the first half (128 bits) of the HMAC output M as the
2066	   Authentication Tag output T. This truncated value is:

2068	   [83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38,
2069	   194, 85]

2071	Appendix C.  Acknowledgements

2073	   Solutions for encrypting JSON content were also explored by JSON
2074	   Simple Encryption [JSE] and JavaScript Message Security Format
2075	   [I-D.rescorla-jsms], both of which significantly influenced this
2076	   draft.  This draft attempts to explicitly reuse as many of the
2077	   relevant concepts from XML Encryption 1.1
2078	   [W3C.CR-xmlenc-core1-20120313] and RFC 5652 [RFC5652] as possible,
2079	   while utilizing simple, compact JSON-based data structures.

2081	   Special thanks are due to John Bradley and Nat Sakimura for the
2082	   discussions that helped inform the content of this specification and
2083	   to Eric Rescorla and Joe Hildebrand for allowing the reuse of text
2084	   from [I-D.rescorla-jsms] in this document.

2086	   Thanks to Axel Nennker, Emmanuel Raviart, Brian Campbell, and Edmund
2087	   Jay for validating the examples in this specification.

2089	   This specification is the work of the JOSE Working Group, which
2090	   includes dozens of active and dedicated participants.  In particular,
2091	   the following individuals contributed ideas, feedback, and wording
2092	   that influenced this specification:

2094	   Richard Barnes, John Bradley, Brian Campbell, Breno de Medeiros, Dick
2095	   Hardt, Jeff Hodges, Edmund Jay, James Manger, Matt Miller, Tony
2096	   Nadalin, Axel Nennker, Emmanuel Raviart, Nat Sakimura, Jim Schaad,
2097	   Hannes Tschofenig, and Sean Turner.

2099	   Jim Schaad and Karen O'Donoghue chaired the JOSE working group and
2100	   Sean Turner and Stephen Farrell served as Security area directors
2101	   during the creation of this specification.

2103	Appendix D.  Document History

2105	   [[ to be removed by the RFC editor before publication as an RFC ]]

2107	   -15

2109	   o  Clarified that it is an application decision which recipients'
2110	      encrypted content must successfully validate for the JWE to be
2111	      accepted, addressing issue #35.

2113	   o  Changes to address editorial issues #34, #164, and #169.

2115	   -14

2117	   o  Clarified that the "protected", "unprotected", "header", "iv",
2118	      "tag", and "encrypted_key" parameters are to be omitted in the JWE
2119	      JSON Serialization when their values would be empty.  Stated that
2120	      the "recipients" array must always be present.

2122	   -13

2124	   o  Added an "aad" (Additional Authenticated Data) member for the JWE
2125	      JSON Serialization, enabling Additional Authenticated Data to be
2126	      supplied that is not double base64url encoded, addressing issue
2127	      #29.

2129	   -12

2131	   o  Clarified that the "typ" and "cty" header parameters are used in
2132	      an application-specific manner and have no effect upon the JWE
2133	      processing.

2135	   o  Replaced the MIME types "application/jwe+json" and
2136	      "application/jwe" with "application/jose+json" and
2137	      "application/jose".

2139	   o  Stated that recipients MUST either reject JWEs with duplicate
2140	      Header Parameter Names or use a JSON parser that returns only the
2141	      lexically last duplicate member name.

2143	   o  Moved the "epk", "apu", and "apv" Header Parameter definitions to
2144	      be with the algorithm descriptions that use them.

2146	   o  Added a Serializations section with parallel treatment of the JWE
2147	      Compact Serialization and the JWE JSON Serialization and also
2148	      moved the former Implementation Considerations content there.

2150	   o  Restored use of the term "AEAD".

2152	   o  Changed terminology from "block encryption" to "content
2153	      encryption".

2155	   -11

2157	   o  Added Key Identification section.

2159	   o  Removed the Encrypted Key value from the AAD computation since it
2160	      is already effectively integrity protected by the encryption
2161	      process.  The AAD value now only contains the representation of
2162	      the JWE Encrypted Header.

2164	   o  For the JWE JSON Serialization, enable header parameter values to
2165	      be specified in any of three parameters: the "protected" member
2166	      that is integrity protected and shared among all recipients, the
2167	      "unprotected" member that is not integrity protected and shared
2168	      among all recipients, and the "header" member that is not
2169	      integrity protected and specific to a particular recipient.  (This
2170	      does not affect the JWE Compact Serialization, in which all header
2171	      parameter values are in a single integrity protected JWE Header
2172	      value.)

2174	   o  Shortened the names "authentication_tag" to "tag" and
2175	      "initialization_vector" to "iv" in the JWE JSON Serialization,
2176	      addressing issue #20.

2178	   o  Removed "apv" (agreement PartyVInfo) since it is no longer used.

2180	   o  Removed suggested compact serialization for multiple recipients.

2182	   o  Changed the MIME type name "application/jwe-js" to
2183	      "application/jwe+json", addressing issue #22.

2185	   o  Tightened the description of the "crit" (critical) header
2186	      parameter.

2188	   -10

2190	   o  Changed the JWE processing rules for multiple recipients so that a
2191	      single AAD value contains the header parameters and encrypted key
2192	      values for all the recipients, enabling AES GCM to be safely used
2193	      for multiple recipients.

2195	   o  Added an appendix suggesting a possible compact serialization for
2196	      JWEs with multiple recipients.

2198	   -09

2200	   o  Added JWE JSON Serialization, as specified by
2201	      draft-jones-jose-jwe-json-serialization-04.

2203	   o  Registered "application/jwe-js" MIME type and "JWE-JS" typ header
2204	      parameter value.

2206	   o  Defined that the default action for header parameters that are not
2207	      understood is to ignore them unless specifically designated as
2208	      "MUST be understood" or included in the new "crit" (critical)
2209	      header parameter list.  This addressed issue #6.

2211	   o  Corrected "x5c" description.  This addressed issue #12.

2213	   o  Changed from using the term "byte" to "octet" when referring to 8
2214	      bit values.

2216	   o  Added Key Management Mode definitions to terminology section and
2217	      used the defined terms to provide clearer key management
2218	      instructions.  This addressed issue #5.

2220	   o  Added text about preventing the recipient from behaving as an
2221	      oracle during decryption, especially when using RSAES-PKCS1-V1_5.

2223	   o  Changed from using the term "Integrity Value" to "Authentication
2224	      Tag".

2226	   o  Changed member name from "integrity_value" to "authentication_tag"
2227	      in the JWE JSON Serialization.

2229	   o  Removed Initialization Vector from the AAD value since it is
2230	      already integrity protected by all of the authenticated encryption
2231	      algorithms specified in the JWA specification.

2233	   o  Replaced "A128CBC+HS256" and "A256CBC+HS512" with "A128CBC-HS256"
2234	      and "A256CBC-HS512".  The new algorithms perform the same
2235	      cryptographic computations as [I-D.mcgrew-aead-aes-cbc-hmac-sha2],
2236	      but with the Initialization Vector and Authentication Tag values
2237	      remaining separate from the Ciphertext value in the output
2238	      representation.  Also deleted the header parameters "epu"
2239	      (encryption PartyUInfo) and "epv" (encryption PartyVInfo), since
2240	      they are no longer used.

2242	   -08

2244	   o  Replaced uses of the term "AEAD" with "Authenticated Encryption",
2245	      since the term AEAD in the RFC 5116 sense implied the use of a
2246	      particular data representation, rather than just referring to the
2247	      class of algorithms that perform authenticated encryption with
2248	      associated data.

2250	   o  Applied editorial improvements suggested by Jeff Hodges and Hannes
2251	      Tschofenig.  Many of these simplified the terminology used.

2253	   o  Clarified statements of the form "This header parameter is
2254	      OPTIONAL" to "Use of this header parameter is OPTIONAL".

2256	   o  Added a Header Parameter Usage Location(s) field to the IANA JSON
2257	      Web Signature and Encryption Header Parameters registry.

2259	   o  Added seriesInfo information to Internet Draft references.

2261	   -07

2263	   o  Added a data length prefix to PartyUInfo and PartyVInfo values.

2265	   o  Updated values for example AES CBC calculations.

2267	   o  Made several local editorial changes to clean up loose ends left
2268	      over from to the decision to only support block encryption methods
2269	      providing integrity.  One of these changes was to explicitly state
2270	      that the "enc" (encryption method) algorithm must be an
2271	      Authenticated Encryption algorithm with a specified key length.

2273	   -06

2275	   o  Removed the "int" and "kdf" parameters and defined the new
2276	      composite Authenticated Encryption algorithms "A128CBC+HS256" and
2277	      "A256CBC+HS512" to replace the former uses of AES CBC, which
2278	      required the use of separate integrity and key derivation
2279	      functions.

2281	   o  Included additional values in the Concat KDF calculation -- the
2282	      desired output size and the algorithm value, and optionally
2283	      PartyUInfo and PartyVInfo values.  Added the optional header
2284	      parameters "apu" (agreement PartyUInfo), "apv" (agreement
2285	      PartyVInfo), "epu" (encryption PartyUInfo), and "epv" (encryption
2286	      PartyVInfo).  Updated the KDF examples accordingly.

2288	   o  Promoted Initialization Vector from being a header parameter to
2289	      being a top-level JWE element.  This saves approximately 16 bytes
2290	      in the compact serialization, which is a significant savings for
2291	      some use cases.  Promoting the Initialization Vector out of the
2292	      header also avoids repeating this shared value in the JSON
2293	      serialization.

2295	   o  Changed "x5c" (X.509 Certificate Chain) representation from being
2296	      a single string to being an array of strings, each containing a
2297	      single base64 encoded DER certificate value, representing elements
2298	      of the certificate chain.

2300	   o  Added an AES Key Wrap example.

2302	   o  Reordered the encryption steps so CMK creation is first, when
2303	      required.

2305	   o  Correct statements in examples about which algorithms produce
2306	      reproducible results.

2308	   -05

2310	   o  Support both direct encryption using a shared or agreed upon
2311	      symmetric key, and the use of a shared or agreed upon symmetric
2312	      key to key wrap the CMK.

2314	   o  Added statement that "StringOrURI values are compared as case-
2315	      sensitive strings with no transformations or canonicalizations
2316	      applied".

2318	   o  Updated open issues.

2320	   o  Indented artwork elements to better distinguish them from the body
2321	      text.

2323	   -04
2324	   o  Refer to the registries as the primary sources of defined values
2325	      and then secondarily reference the sections defining the initial
2326	      contents of the registries.

2328	   o  Normatively reference XML Encryption 1.1
2329	      [W3C.CR-xmlenc-core1-20120313] for its security considerations.

2331	   o  Reference draft-jones-jose-jwe-json-serialization instead of
2332	      draft-jones-json-web-encryption-json-serialization.

2334	   o  Described additional open issues.

2336	   o  Applied editorial suggestions.

2338	   -03

2340	   o  Added the "kdf" (key derivation function) header parameter to
2341	      provide crypto agility for key derivation.  The default KDF
2342	      remains the Concat KDF with the SHA-256 digest function.

2344	   o  Reordered encryption steps so that the Encoded JWE Header is
2345	      always created before it is needed as an input to the
2346	      Authenticated Encryption "additional authenticated data"
2347	      parameter.

2349	   o  Added the "cty" (content type) header parameter for declaring type
2350	      information about the secured content, as opposed to the "typ"
2351	      (type) header parameter, which declares type information about
2352	      this object.

2354	   o  Moved description of how to determine whether a header is for a
2355	      JWS or a JWE from the JWT spec to the JWE spec.

2357	   o  Added complete encryption examples for both Authenticated
2358	      Encryption and non-Authenticated Encryption algorithms.

2360	   o  Added complete key derivation examples.

2362	   o  Added "Collision Resistant Namespace" to the terminology section.

2364	   o  Reference ITU.X690.1994 for DER encoding.

2366	   o  Added Registry Contents sections to populate registry values.

2368	   o  Numerous editorial improvements.

2370	   -02
2371	   o  When using Authenticated Encryption algorithms (such as AES GCM),
2372	      use the "additional authenticated data" parameter to provide
2373	      integrity for the header, encrypted key, and ciphertext and use
2374	      the resulting "authentication tag" value as the JWE Authentication
2375	      Tag.

2377	   o  Defined KDF output key sizes.

2379	   o  Generalized text to allow key agreement to be employed as an
2380	      alternative to key wrapping or key encryption.

2382	   o  Changed compression algorithm from gzip to DEFLATE.

2384	   o  Clarified that it is an error when a "kid" value is included and
2385	      no matching key is found.

2387	   o  Clarified that JWEs with duplicate Header Parameter Names MUST be
2388	      rejected.

2390	   o  Clarified the relationship between "typ" header parameter values
2391	      and MIME types.

2393	   o  Registered application/jwe MIME type and "JWE" typ header
2394	      parameter value.

2396	   o  Simplified JWK terminology to get replace the "JWK Key Object" and
2397	      "JWK Container Object" terms with simply "JSON Web Key (JWK)" and
2398	      "JSON Web Key Set (JWK Set)" and to eliminate potential confusion
2399	      between single keys and sets of keys.  As part of this change, the
2400	      Header Parameter Name for a public key value was changed from
2401	      "jpk" (JSON Public Key) to "jwk" (JSON Web Key).

2403	   o  Added suggestion on defining additional header parameters such as
2404	      "x5t#S256" in the future for certificate thumbprints using hash
2405	      algorithms other than SHA-1.

2407	   o  Specify RFC 2818 server identity validation, rather than RFC 6125
2408	      (paralleling the same decision in the OAuth specs).

2410	   o  Generalized language to refer to Message Authentication Codes
2411	      (MACs) rather than Hash-based Message Authentication Codes (HMACs)
2412	      unless in a context specific to HMAC algorithms.

2414	   o  Reformatted to give each header parameter its own section heading.

2416	   -01
2417	   o  Added an integrity check for non-Authenticated Encryption
2418	      algorithms.

2420	   o  Added "jpk" and "x5c" header parameters for including JWK public
2421	      keys and X.509 certificate chains directly in the header.

2423	   o  Clarified that this specification is defining the JWE Compact
2424	      Serialization.  Referenced the new JWE-JS spec, which defines the
2425	      JWE JSON Serialization.

2427	   o  Added text "New header parameters should be introduced sparingly
2428	      since an implementation that does not understand a parameter MUST
2429	      reject the JWE".

2431	   o  Clarified that the order of the encryption and decryption steps is
2432	      not significant in cases where there are no dependencies between
2433	      the inputs and outputs of the steps.

2435	   o  Made other editorial improvements suggested by JOSE working group
2436	      participants.

2438	   -00

2440	   o  Created the initial IETF draft based upon
2441	      draft-jones-json-web-encryption-02 with no normative changes.

2443	   o  Changed terminology to no longer call both digital signatures and
2444	      HMACs "signatures".

2446	Authors' Addresses

2448	   Michael B. Jones
2449	   Microsoft

2451	   Email: mbj@microsoft.com
2452	   URI:   http://self-issued.info/

2454	   Eric Rescorla
2455	   RTFM, Inc.

2457	   Email: ekr@rtfm.com
2458	   Joe Hildebrand
2459	   Cisco Systems, Inc.

2461	   Email: jhildebr@cisco.com