Thanks for your review, Ted. I'm adding the working group to the thread so they're aware of your comments.
> -----Original Message----- > From: Ted Lemon [mailto:ted.le...@nominum.com] > Sent: Thursday, October 02, 2014 6:58 AM > To: The IESG > Cc: oauth-cha...@tools.ietf.org; draft-ietf-oauth-json-web- > to...@tools.ietf.org > Subject: Ted Lemon's No Objection on draft-ietf-oauth-json-web-token-27: > (with COMMENT) > > Ted Lemon has entered the following ballot position for > draft-ietf-oauth-json-web-token-27: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-json-web-token/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > The suggested pronunciation of JWT is the same as the English word > "jot". > > I would have gone with "jute". :) Also, this doesn't belong in the > abstract. It appears to have crept in as a result of cutting and pasting the > introduction into the abstract. You're not the first person with knowledge of Welsh to make the same comment. :-) (And this is a Jones responding...) I'll plan to remove the sentence from the abstract. > Is there any reason not to just require this: > > While syntactically the signing and encryption operations for Nested > JWTs may be applied in any order, normally senders should sign the > message and then encrypt the result (thus encrypting the signature). > This prevents attacks in which the signature is stripped, leaving > just an encrypted message, as well as providing privacy for the > signer. Furthermore, signatures over encrypted text are not > considered valid in many jurisdictions. > > When does it make sense not to do it this way? Sometimes authenticated encryption alone is good enough without requiring a signature. Different applications will have different requirements. So while this section discussion the applicable considerations, the working group felt that it was going too far to make this prescriptive. Thanks again, -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth