> -----Original Message-----
> From: Ted Lemon [mailto:[email protected]]
> Sent: Monday, October 06, 2014 12:49 PM
> To: Mike Jones
> Cc: The IESG; [email protected]; draft-ietf-oauth-json-web-
> [email protected]; [email protected]
> Subject: Re: Ted Lemon's No Objection on draft-ietf-oauth-json-web-token-27:
> (with COMMENT)
>
> On Oct 6, 2014, at 3:54 AM, Mike Jones <[email protected]>
> wrote:
> > Sometimes authenticated encryption alone is good enough without requiring a
> signature. Different applications will have different requirements. So
> while this
> section discussion the applicable considerations, the working group felt that
> it
> was going too far to make this prescriptive.
>
> But if you don't need to sign the message, why sign it?
The working group isn't advocating signing the token if it's not necessary.
The clause we're discussing is just intended to provide guidance to application
architects in the case that both signing and encryption are necessary.
I propose that we add language about "If both signing and encryption are
necessary" in order to make the context of this advice clear. Would that
resolution be acceptable to you, Ted?
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
