Yes encrypting the claim should only be required when the entire JWT is not encrypted. I will have a look.
John B. > On Jul 30, 2015, at 3:12 PM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > I raised the below question during the WGLC back in March but never got any > response. > > JWE does add nontrivial size overhead to the message and in the case that a > JWT containing a symmetric confirmation key is already a JWE, the spec would > seem to require two layers of encryption and the associated over overhead > that comes with it - even though the key is already encrypted by the outer > JWE layer. > > I believe the draft should speak to how a symmetric key be represented as a > claim in the clear when the encryption of it is provided the JWE/JWT that > contains it. > > > On Mon, Mar 23, 2015 at 12:40 AM, Brian Campbell <bcampb...@pingidentity.com > <mailto:bcampb...@pingidentity.com>> wrote: > When the JWT is itself encrypted as a JWE, would it not be reasonable to have > a symmetric key be represented in the cnf claim with the jwk member as an > unencrypted JSON Web Key? > > Is such a possibility left as an exercise to the reader? Or should it be more > explicitly allowed or disallowed? > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth