You’re welcome.  Thanks, as always, for the useful feedback that improved the 
specification.

From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Monday, August 31, 2015 1:47 PM
To: Mike Jones
Cc: oauth
Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted 
JWT okay?

Thank you

On Fri, Aug 28, 2015 at 7:04 PM, Mike Jones 
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:
This was added at the end of Section 3.2 in 
-04<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-proof-of-possession-04&data=01%7c01%7cMichael.Jones%40microsoft.com%7c8fc6894cabb2401f16d108d2b24568c4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ziYwMBX86u%2bC97p3VONieq8E%2bYNhXEEUVYcH2cn12nc%3d>.
  Thanks again for the practical feedback, Brian!

                                                                -- Mike

From: John Bradley [mailto:ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>]
Sent: Tuesday, August 11, 2015 4:05 PM
To: Mike Jones
Cc: Brian Campbell; oauth
Subject: Re: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted 
JWT okay?

OK
On Aug 11, 2015, at 12:57 AM, Mike Jones 
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:

As discussed in the thread “[OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 
(was Re: proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?)”, I 
will update the draft to say that the symmetric key can be carried in the “jwk” 
element in an unencrypted form if the JWT is itself encrypted.  This will 
happen in -04.

                                                            -- Mike

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Sunday, March 22, 2015 11:41 PM
To: oauth
Subject: [OAUTH-WG] proof-of-possession-02 unencrypted oct JWK in encrypted JWT 
okay?

When the JWT is itself encrypted as a JWE, would it not be reasonable to have a 
symmetric key be represented in the cnf claim with the jwk member as an 
unencrypted JSON Web Key?
Is such a possibility left as an exercise to the reader? Or should it be more 
explicitly allowed or disallowed?

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7c8fc6894cabb2401f16d108d2b24568c4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ybBu1UvIY329rAf0U%2fF165BzKHKaXOqzGmf2B1FiZO4%3d>


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to