Hi Malla,
Just to add one more thing: If you just want to "sign" for the sake of integrity protection, you really do not need to do it as all the algs in JWE are integrity protected. -- Nat Sakimura < <mailto:n-sakim...@nri.co.jp> n-sakim...@nri.co.jp> Nomura Research Institute, Ltd. PLEASE READ: The information contained in this e-mail is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system. From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley Sent: Friday, July 17, 2015 7:45 AM To: Malla Simhachalam <mallasimhacha...@gmail.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens https://tools.ietf.org/html/rfc7519#section-11.2 It is in the JWT spec. You can do it both ways however you really need a good reason not to sign then encrypt, and then after you have a good reason you should still sign then encrypt because you probably have not considered everything, There are probably some edge cases that are exceptions to the rule, but they are rare. John B. On Jul 16, 2015, at 11:33 PM, Malla Simhachalam <mallasimhacha...@gmail.com <mailto:mallasimhacha...@gmail.com> > wrote: Hi, I am looking at the spec https://datatracker.ietf.org/doc/rfc7520/?include_text=1 for combining JWS and JWE use case, I could not find it obvious that a JSON document should be signed first and then encrypt or other way around.Are there any recommendations one over the other? Thanks for help. Malla _______________________________________________ OAuth mailing list OAuth@ietf.org <mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth