The thread model doc was really great, but I still couldn't find
anything concrete on what guarantees you lose if you use a public client
vs. a confidential one. Honestly, I'm just trying to have the right
info to guide users on what auth flow to use and the pros/cons.
On 3/27/2014 7:59 PM,
Dear Dick Hardt:
An IPR disclosure that pertains to your RFC entitled The OAuth 2.0
Authorization Framework (RFC6749) was submitted to the IETF Secretariat on
2014-03-28 and has been posted on the IETF Page of Intellectual Property Rights
Disclosures (https://datatracker.ietf.org/ipr/2336/).
hi *,
in the JWT specification [0] there is an example of a JWE that use
A128CBC-HS256 for content encrpyption.
Now I am not a cryptographer my self but IIUC the same CEK is used for
encrypting with AES and authentication HMAC.
AFAIK is better to use two different keys for those 2 different