https://tools.ietf.org/html/rfc7519#section-11.2 <https://tools.ietf.org/html/rfc7519#section-11.2>
It is in the JWT spec. You can do it both ways however you really need a good reason not to sign then encrypt, and then after you have a good reason you should still sign then encrypt because you probably have not considered everything, There are probably some edge cases that are exceptions to the rule, but they are rare. John B. > On Jul 16, 2015, at 11:33 PM, Malla Simhachalam <mallasimhacha...@gmail.com> > wrote: > > Hi, > > I am looking at the spec > https://datatracker.ietf.org/doc/rfc7520/?include_text=1 > <https://datatracker.ietf.org/doc/rfc7520/?include_text=1> for combining JWS > and JWE use case, I could not find it obvious that a JSON document should be > signed first and then encrypt or other way around.Are there any > recommendations one over the other? > > Thanks for help. > Malla > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth