Encryption beyond ws-security: JWE, encrypted content-coding, CMS or else from Roberto Polli on 2020-09-29 (ietf-http-wg@w3.org from July to September 2020)

From: Roberto Polli <robipolli@gmail.com>
Date: Tue, 29 Sep 2020 17:57:52 +0200
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Alexander.Hoose@fitko.de
Message-ID: <CAP9qbHU-Nkd-3rtL5zb1=C7Uvf+4Pb=ws73R7NF6q_2eVysrTg@mail.gmail.com>

Hi @all,

I'm trying to find a suitable way to replace ws-* for encrypting
payload bodies with some other specification more suitable to a REST
approach.
It seems that the enterprise industry is still fond of JWE - but  I'd
avoid it if I can, considering that a good library like google/tink is
not going to implement it
https://github.com/google/tink/issues/342#issuecomment-658450381
moreover the specs

Leveraging the content-coding feature of HTTP, there's rfc8188 which
seems interesting: still I don't know how many implementers are in the
wild. Don't know if that mechanism can be extended to PKI encryption.
Another solution could be CMS / S-mime.

What do you think/use/suggest?

Thanks and regards,
R.

Received on Tuesday, 29 September 2020 15:58:16 UTC