I emailed this number to the JOSE working group to the corresponding mailing list. We all seem to agree that at least one errata is welcome to identify the problem. This contribution is a direct attempt to raise awareness of this specific problem. Jim Schaad and Karen O`Donoghue led the JOSE Task Force and Sean Turner, Stephen Farrell and Kathleen Moriarty led the safety zone for the development of this specifications. After exchanging the first message and response, both parties can communicate with the key derived from the second message as an encryption key for any additional number of messages. If ECDH-1PU is used in Direct Key Agreement mode, the following messages must be encrypted with the derived key using the JWE “dir” (Direct) algorithm. If used in key mode with a key change, the following messages must be encrypted with the key derived with the associated key break algorithm, as shown in the following table: In the key mode of the agreement with a key change, the KDF output is the key to the required length for the specified key break algorithm. In this case, the JWE Encrypted Key is the CEK, which is wrapped in the agreed key. In this case, the JWE Protected header also lists the elliptical curve used for the key chord: the epk (ephemeral) value created by the initiator for use in key contract algorithms. This key is presented as a public key as a JSON [JWK] web key (Jones, M., “JSON Web Key (JWK), July 2014. It MUST contain only public key settings and should contain only the minimum JWK settings required for the key presentation.
Other included JWK settings can be checked and taken into account or ignored. This header setting MUST be present and MUST be understood and processed by implementations when these algorithms are used. The key to the (bob) (JWK format) used for calculating the key agreement in this example (including the private part) is as follows: as a symmetrical key used to wind the CEK with the algorithms A128KW, A192KW or A256KW in the key contract with a key change. In Direct Key mode, the KDF output must be a key of the same length as the key used by the “ink” algorithm. In this case, the empty byte sequence is used as a JWE encrypted key value. The “alg” (algorithm) header setting “ECDH-1PU” is used in Direct Key mode. In this section, the peculiarities of the key agreement with Elliptic Curve Diffie-Hellman Ephemeral Static [RFC6090] (McGrew, D., Igoe, K., and M. Salter, “Fundamental Elliptic Curve Cryptography Algorithms,” February 2011.), in combination with The Concat KDF, as stated in Section 5.8.1 of [NIST.800-56A] (National Institute of Standards and Technology (NIST), “Recommendation for Pair-Wise Key establishment Schemes Using Discrete Logarithm Cryptography,” May 2013.
The main result of the agreement can be used in two ways: the apu value (Agreement PartyUInfo) for the key contract algorithms that use it (for example. B ECDH-ES), which is represented as a coded chain base64url. If used, PartyUInfo contains information about the sender. The use of this head setting is FACULTATIVE. This header setting MUST be understood and processed by implementations when these algorithms are used. The following header settings values are used to indicate that the JWE Encrypted key is the result of CEK encryption using the key agreement algorithm result as an encryption key for the corresponding key trigger algorithm: A party that received a JWE encrypted JWE encrypted response to this message by creating a new JWE with ECDH-1PU. but the use of the volatile public key (“epk”) of the first message, as if it were the static public key of the original part.