Yes - a separate doc. Given that it is potentially useful in the context of
OAuth, it might be something that the OAuth WG could consider, given that the
JOSE WG is disbanded. I’ll see if I can find some time to put a draft together.
(In markdown now that my mind has been blown that I don’t have
Hi Neil,
thanks! This does sound very interesting. Just to clarify, you would
document this in a separate doc extending JOSE?
We could then mention it from the JWT AT profile, whihc would remain
lightweight and implementation independent.
thanks
V.
On Tue, Mar 26, 2019 at 3:11 AM Neil Madden
wrot
There was a brief discussion at OSW about signing vs encryption for JWT-based
access tokens. I think it was Brian Campbell that pointed out that you often
want authenticated encryption rather than signing, and I agree with this.
Currently JOSE only supports authenticated encryption for symmetric
