In XMLdsig if you are using a non AEAD encryption algorithm, you may well need to sign over the encrypted information to protect it from modification.
In SAML some people sign the assertion, encrypt the assertion, and then sign the message. The main reason for signing inside the encryption, tends to be legal in that a signature over something you can't see is not considered enforceable most places. So if you are signing for non repudiation then inside the encryption is typically required. As JOSE only supports AEAD encryption over-signing to protect the encrypted message from tampering is not required. So if you require both signing to identify the sender and encryption for confidentiality then sign and then encrypt is the best bet. On the other hand we can't preclude other valid use cases if someone needs to encrypt and then sign so that perhaps intermediate hops can validate the signature. That is why it is should and not must. Regards John B. On Oct 7, 2014, at 11:26 AM, Ted Lemon <[email protected]> wrote: > On Oct 7, 2014, at 1:29 AM, Mike Jones <[email protected]> wrote: >> I propose that we add language about "If both signing and encryption are >> necessary" in order to make the context of this advice clear. Would that >> resolution be acceptable to you, Ted? > > So you're saying that if signing and encryption are necessary, signing before > encrypting is RECOMMENDED because of the attacks you described? I guess I'm > okay with that. > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
