Brian's WGLC comment - compression

[yaronf]

Regarding compression, as stated previously, I believe the current text around compression in JWE is a bit overreaching and lacking in useful guidance about when it is or is not reasonable to use. Section 3.6 has a SHOULD NOT on compressing the JWE payload because it "often reveals information about the plaintext" but nothing about when the recommendation isn't actually applicable. Section 2.4, which points to that 3.6, does have some more text about "Plaintext Leakage through Analysis of Ciphertext Length" but mostly in the context of HTTPS, which is, of course, a completely different protocol with different considerations. I don't claim expertise but the conditions and problems described don't seem applicable to archetypal JW/JWT usage.

I anecdotally understand there's been implementation(s) that dropped support for the zip header, at least in part due to this text in RFC8725, which doesn't seem great for interop. Some recent SDO work like OpenID4VCI do have some "negotiation" capabilities around it but that one is the exception rather than the rule, which again doesn't seem good for interop.

cc: @bc-pi

[yaronf]

Reacting to the above, we've had over 20 years [1] of attacks on encryption combined with compression, so I don't think a SHOULD NOT is out of place. And it's not just TLS, there have been attacks on IPsec as well. Both are different from JWE/JWT but I think for the majority of cases a SHOULD NOT is a reasonable approach. In particular library developers often don't have enough context to say whether the risk exists in applications that are built on top of them.

Note that the original research is about both chosen-plaintext AND passive attacks, and the passive part might well apply to JWE.

Having said all that, I'm sure we could improve the text.

[1] John Kelsey, “Compression and Information Leakage of Plaintext,” FSE 2002 (LNCS 2365, pp. 263–276)

[selfissued]

Per the mailing list discussion on this topic:

As asked on the OAuth office hours call on Monday, November 17, 2025, are there new JWT best practices that have emerged on this topic since RFC 8725 was published that you can cite that you believe should be included in the draft, Brian? If so, please provide proposed text.

I was also going to add the Kelsey reference to the draft in response to this discussion, but I see that it's already there.