Adding those security considerations is probably a good idea but it doesn't actually address the question from my WGLC comments on draft-ietf-oauth-jwsreq-06 <http://www.ietf.org/mail-archive/web/oauth/current/msg15072.html>.
The question was about what from an encrypted only Request Object should have. There's text in the draft that seems to suggest it must be a JWS with alg=none nested inside a JWE. But there's also text that suggests a JWE with JSON Claims directly as the payload is okay. I was asking what the intent of the spec actually was and that it be clarified in the doc. On Fri, Nov 6, 2015 at 6:03 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net > wrote: > > Brian raised a question whether the request object is only > encrypted. > This lead to a discussion of the difference between encryption and > integrity protection (using symmetric and asymmetric cryptography). The > conclusion was reached that the security consideration section needs to > be updated to explain what properties the different methods for using > JWS/JWE provide. > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth