I'm not an expert on cryptography, so, the understanding below might not be entirely correct.
From what I understand, in the context of JWE, the RSA-OAEP-256 key algorithm is meant to provide payload integrity and confidentiality. If the authenticity is also a goal (i.e. to know that the token is created by a trusted party), it's better to use a symmetric key algorithm (e.g. A256GCMKW) instead, or use an embedded JWT with JWS inside a JWE.
And the reason that RSA-OAEP-256 doesn't provide authenticity is that it's an asymmetric key algorithm, where the public key used for encryption is meant to be known to everyone. Therefore, anyone with the public key is able to create a token.
My question is, if the public key is only held by the trusted party, will it be fine to use RSA-OAEP-256 to authenticate the token issuer? (Q1)
The question I guess becomes whether it's considered feasible to deduce the public key using CCA and CPA attacks in the context of RSA-OAEP-256 in JWE.
If it's not considered feasible, is it still preferred to use a symmetric key algorithm e.g. A256GCMKW over using RSA-OAEP-256 in this way (keeping the public key as a secret), given that the goal is to achieve integrity, confidentiality and authenticity? (Q2)
Thanks.
