Re: [OAUTH-WG] proposal for signatures

Justin Smith Mon, 21 Jun 2010 10:55:35 -0700

I'm not emphatic about either, but my vote is to remove the envelope.

-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Brian 
Eaton
Sent: Monday, June 21, 2010 9:49 AM
To: Dick Hardt
Cc: OAuth WG
Subject: Re: [OAUTH-WG] proposal for signatures


On Mon, Jun 21, 2010 at 7:43 AM, Dick Hardt <dick.ha...@gmail.com> wrote:
> Thanks for writing this up Dirk.
> I would suggest that the token be:
> payload "." envelope "." signature
> This enables the payload to be encrypted and independent from the envelope.
> Token signing, verification, encryption and decryption code can then 
> be generic and not understand the payload of the token.

I think you can still do that even if payload and envelope are combined.

the signed json would become:

{
    signer: <whoever-signed>
    encrypted_for: <intended-destination>
    encrypted_payload: <the-encrypted-payload> } 
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] proposal for signatures

Reply via email to