> I think it’s a nice clean minimal solution to say that producers MUST > NOT generate dupes, end of story. I don’t think saying anything beyond > that adds value. -T
Clean and minimal that may be, but it ignores the security issue. We don't want a malicious producer (who is so malicious they ignore a MUST) to create JOSE messages that a JOSE-compliant security layer accepts as "benign interpretation #1" so it passes the message on to the JOSE-compliant backend app that acts on "nasty interpretation #2". -- James Manger _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
