[cifs-protocol] [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256? - TrackingID#2312150040011919
Obaid Farooqi
obaidf at microsoft.com
Fri Dec 15 23:00:33 UTC 2023
Hi David:
Thanks for contacting Microsoft. I have created a case to track this issue. A member of the open specifications team will be in touch soon.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: David Mulder <dmulder at samba.org>
Sent: Friday, December 15, 2023 2:52 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] [MS-OAPXBC] Exchange PRT for Access Token, HS256 or RS256?
In section 3.2.5.1.3.1 the protocol initially says that "JWTs are signed either with a device key or session keys".
Then for the jwt header alg field it says "HS256" is supported. The session key (session_key_jwe) obtained during the request for PRT would be the symmetric key for the HS256 algorithm. How do we sign instead with the device key? The private key for the device isn't symmetric. Do we instead sign it with RS256? The spec doesn't explain.
Likewise, in section 3.2.5.1.2.1, the PRT request says we can use either "a device key or session keys". The PRT request then explicitly states that we will use the "RS256" alg. RS256 isn't symmetric, so how would we then use the symmetric session key for signing?
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com/
More information about the cifs-protocol
mailing list