Hi guys, I recently found out there are users of the Nimbus JOSE+JWT library who occasionally nest JWS/JWE objects in the wrong order, thinking they are equivalent.
Interestingly, so far this was only observed with developers of non-JWT apps. I suggest the JWS and JWE specs get a section in the security considerations similar to JWT's http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-25#section-11.2 Cheers, Vladimir _______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
