I raised the below question during the WGLC back in March but never got any response.
JWE does add nontrivial size overhead to the message and in the case that a JWT containing a symmetric confirmation key is already a JWE, the spec would seem to require two layers of encryption and the associated over overhead that comes with it - even though the key is already encrypted by the outer JWE layer. I believe the draft should speak to how a symmetric key be represented as a claim in the clear when the encryption of it is provided the JWE/JWT that contains it. On Mon, Mar 23, 2015 at 12:40 AM, Brian Campbell <bcampb...@pingidentity.com > wrote: > When the JWT is itself encrypted as a JWE, would it not be reasonable to > have a symmetric key be represented in the cnf claim with the jwk member as > an unencrypted JSON Web Key? > > Is such a possibility left as an exercise to the reader? Or should it be > more explicitly allowed or disallowed? > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
