Hi Hannes, On Nov 1, 2023, at 10:30 AM, Hannes Tschofenig <[email protected]<mailto:[email protected]>> wrote:
You also agree with me that information in the protected header is often processed without prior security verification. I’m not sure we’re thinking the same here. I think there is no problem that calims-in-headers might be processed without verification. I think that because we process protected headers/parameters in CMS, COSE and JOSE without verification. If it’s not a security issue for CMS, COSE and JOSE, it’s not a security issue for claims-in-headers. CMS in particular goes back decades. LL
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
