Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New CS proposal: Javascript Object Signing and Encryption (JOSE) #1225

Open
craigjbass opened this issue Nov 16, 2023 · 7 comments
Open

New CS proposal: Javascript Object Signing and Encryption (JOSE) #1225

craigjbass opened this issue Nov 16, 2023 · 7 comments
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet.

Comments

@craigjbass
Copy link

craigjbass commented Nov 16, 2023
edited

What is the proposed Cheat Sheet about?

Javascript Object Signing and Encryption. In particular JWE.

What security issues are commonly encountered related to this area?

  • How to configure JWE implementations to be secure.
  • Recommended encryption algorithms
  • Traps e.g. using the same asymmetric keys between JWT and JWE. In what circumstances is this bad?

What is the objective of the Cheat Sheet?

To help people implement secure JWE implementations.

What other resources exist in this area?

Writing this because there seems to be very little guidance online, and some of it is contradictory.

The owasp cheatsheet has some guidance on best use of JWT (object signing) but no guidance on the usage of JWE.
@craigjbass craigjbass added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet. labels Nov 16, 2023
@szh
Copy link
Collaborator

szh commented Nov 16, 2023

Can you please provide some example topics that you'd like to have added, that aren't already covered in the JWT cheat sheet?

@craigjbass
Copy link
Author

  • What algorithms are considered best practice? The algorithms for JWT are different to JWE.
  • Asymetric vs Symmetric keys
  • Clearing up the different between JWT and JWE - signing vs encryption.
  • The differences between RSA, RSA-OAEP, AKW, A-GC-MKW, EdDSA, X25519/Curve25119, ECDH-ES+A*KW
  • Common use cases of JWE, and recommendations for hardening
    • Sessions
    • Inter-service communication
    • Authentication flows

@szh
Copy link
Collaborator

szh commented Nov 16, 2023

Cool, seems like a good idea. Any input from the other maintainers?

@jmanico
Copy link
Member

jmanico commented Nov 16, 2023 via email

@szh
Copy link
Collaborator

szh commented Nov 17, 2023

Alright then! @craigjbass do you want to take this on?

@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Nov 24, 2023
@mackowski
Copy link
Collaborator

@craigjbass do you want to work on this?

@craigjbass
Copy link
Author

craigjbass commented Nov 24, 2023
edited

I think I would be able to write something, but I would need some help!

Some of the topics I want to cover, I'm not sure I know the answer to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. HELP_WANTED Issue for which help is wanted to do the job. NEW_CS Issue about the creation of a new cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmanico @szh @craigjbass @mackowski