> -----Original Message-----
> From: Ted Lemon [mailto:[email protected]]
> Sent: Tuesday, October 07, 2014 10:30 AM
> To: John Bradley
> Cc: The IESG; Mike Jones; [email protected];
> [email protected]; [email protected]
> Subject: Re: Ted Lemon's No Objection on draft-ietf-oauth-json-web-token-27:
> (with COMMENT)
>
> On Oct 7, 2014, at 1:14 PM, John Bradley <[email protected]> wrote:
> > Encrypting and then signing is likely only a special case used by some
> applications that are configured to understand what is going on.
>
> This isn't really responsive to what I said. As I said, I'm just asking you
> to be
> consistent, not to change the requirements. I don't think that text in the
> security considerations section addresses the inconsistency I'm talking about
> in a
> different section. That said, please don't continue to talk to me about
> this. If
> you think there's an action to take, take it. If not, no need to continue
> trying to
> explain. I'm okay with it either way.
I'll plan to take the action described yesterday that you said you were OK with
- adding language about "If both signing and encryption are necessary" in order
to make the context of this advice clear. I believe that that will improve the
understanding of this guidance by many readers.
Thanks again for the discussion, Ted.
-- Mike
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
