…low the JWE recipient to be used as an oracle for decrypting messages. RFC 3218 RFC3218 ] should be consulted for specific countermeasures to attacks on RSAES-PKCS1-v1_5. An attacker might modify the contents of the "alg" Header Parameter from "RSA-OAEP" to "RSA1_5" in order to g…

…e of the art. For example: - The Million Message Attack described in RFC 3218 [ RFC3218 ]. - The Diffie-Hellman "small-subgroup" attacks described in RFC 2785 [ RFC2785 ]. - The attacks against hash algorithms described in RFC 4270 [ RFC4270 ]. This specification uses Public-Key …