Yep, that's what I'm looking for. Thanks. On Thu, Jul 30, 2015 at 1:57 PM, Mike Jones <[email protected]> wrote:
> I’m fine updating the draft to say that the symmetric key can be carried > in the “jwk” element in an unencrypted form if the JWT is itself > encrypted. That’s what you’re looking for, right? > > > > -- Mike > > > > *From:* OAuth [mailto:[email protected]] *On Behalf Of *John Bradley > *Sent:* Thursday, July 30, 2015 11:29 AM > *To:* Brian Campbell <[email protected]> > *Cc:* oauth <[email protected]> > *Subject:* Re: [OAUTH-WG] JWT PoP Key Semantics WGLC followup 2 (was Re: > proof-of-possession-02 unencrypted oct JWK in encrypted JWT okay?) > > > > Yes encrypting the claim should only be required when the entire JWT is > not encrypted. I will have a look. > > > > John B. > > > > On Jul 30, 2015, at 3:12 PM, Brian Campbell <[email protected]> > wrote: > > > > I raised the below question during the WGLC back in March but never got > any response. > > > JWE does add nontrivial size overhead to the message and in the case that > a JWT containing a symmetric confirmation key is already a JWE, the spec > would seem to require two layers of encryption and the associated over > overhead that comes with it - even though the key is already encrypted by > the outer JWE layer. > > I believe the draft should speak to how a symmetric key be represented as > a claim in the clear when the encryption of it is provided the JWE/JWT that > contains it. > > > > > > On Mon, Mar 23, 2015 at 12:40 AM, Brian Campbell < > [email protected]> wrote: > > When the JWT is itself encrypted as a JWE, would it not be reasonable to > have a symmetric key be represented in the cnf claim with the jwk member as > an unencrypted JSON Web Key? > > Is such a possibility left as an exercise to the reader? Or should it be > more explicitly allowed or disallowed? > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
