On Thu, Apr 2, 2015 at 12:06 PM, Prateek Mishra <[email protected]> wrote:
> This sounds like a basic misunderstanding about the role of a "security > toolkit" vs. an end-to-end protocol that uses a toolkit (e.g., SAML or > openID Connect). > > For example, all of the crypto primitives available in java (jca/jce) > could also be "misused" in these ways, so I am not sure this analysis is > very helpful. > I'm not sure what you mean here. This isn't a case of implementers misusing primitives -- this is a case of attackers forcing misuse of primitives. Maybe you can clarify? Tim
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
