On Mon, Jun 21, 2010 at 7:43 AM, Dick Hardt <dick.ha...@gmail.com> wrote:
> Thanks for writing this up Dirk.
> I would suggest that the token be:
> payload "." envelope "." signature
> This enables the payload to be encrypted and independent from the envelope.
> Token signing, verification, encryption and decryption code can then be
> generic and not understand the payload of the token.
I think you can still do that even if payload and envelope are combined.
the signed json would become:
{
signer: <whoever-signed>
encrypted_for: <intended-destination>
encrypted_payload: <the-encrypted-payload>
}
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
