On Oct 7, 2014, at 1:29 AM, Mike Jones <[email protected]> wrote: > I propose that we add language about "If both signing and encryption are > necessary" in order to make the context of this advice clear. Would that > resolution be acceptable to you, Ted?
So you're saying that if signing and encryption are necessary, signing before encrypting is RECOMMENDED because of the attacks you described? I guess I'm okay with that. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
