CheatSheetSeries New CS proposal: Javascript Object Signing and Encryption (JOSE)

What is the proposed Cheat Sheet about?

Javascript Object Signing and Encryption. In particular JWE.

How to configure JWE implementations to be secure.
Recommended encryption algorithms
Traps e.g. using the same asymmetric keys between JWT and JWE. In what circumstances is this bad?

To help people implement secure JWE implementations.

Writing this because there seems to be very little guidance online, and some of it is contradictory.

The owasp cheatsheet has some guidance on best use of JWT (object signing) but no guidance on the usage of JWE.

Nov 16 '23 09:11 craigjbass

Can you please provide some example topics that you'd like to have added, that aren't already covered in the JWT cheat sheet?

Nov 16 '23 13:11 szh

What algorithms are considered best practice? The algorithms for JWT are different to JWE.
Asymetric vs Symmetric keys
Clearing up the different between JWT and JWE - signing vs encryption.
The differences between RSA, RSA-OAEP, AKW, A-GC-MKW, EdDSA, X25519/Curve25119, ECDH-ES+A*KW
Common use cases of JWE, and recommendations for hardening
- Sessions
- Inter-service communication
- Authentication flows

Nov 16 '23 14:11 craigjbass

Cool, seems like a good idea. Any input from the other maintainers?

Nov 16 '23 19:11 szh

I think this is a great idea!!

Nov 16 '23 20:11 jmanico

Alright then! @craigjbass do you want to take this on?

Nov 17 '23 13:11 szh

@craigjbass do you want to work on this?

Nov 24 '23 08:11 mackowski

I think I would be able to write something, but I would need some help!

Some of the topics I want to cover, I'm not sure I know the answer to.

Nov 24 '23 09:11 craigjbass