Thanks for the review, Linda.
I think I'd need a more precise explanation of what attack you are describing
as "spoofing the encrypted content" to be able to definitively answer your
question. I say that, because in general it's perfectly legitimate for *any*
party to encrypt content to a recipient's public encryption key for use by the
recipient. If the recipient wants to determine the identity of the sender,
that's typically done by having the sender sign the message (which can be done
with the related draft-ietf-jose-json-web-signature spec).
Another answer is that if symmetric encryption keys are being used, there may
be a presumption that only legitimate senders will be in possession of those
keys.
Do those answers address the point of your question, or were you thinking of
something else?
-- Mike
From: Linda Dunbar [mailto:[email protected]]
Sent: Friday, September 19, 2014 1:40 PM
To: [email protected]; [email protected];
[email protected]
Subject: review comment to draft-ietf-jose-json-web-encryption-31
I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.
The draft is written very well. The encryption process is well described.
The only question I have is how to prevent the unintended parties to spoof the
encrypted content?
Linda Dunbar
Huawei USA IP Technology Lab
5340 Legacy Drive,
Plano, TX 75024
Tel: +1 469-277 - 5840
Fax: +1 469 -277 - 5900
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
