Snip
> On Jan 3, 2017, at 2:36 PM, Nat Sakimura <[email protected]> wrote:
>
>
>
>
> 2) On page 9 the text states:
> The authorization request object MUST be either
> (a) JWS signed; or
> (b) JWE encrypted; or
> (c) JWS signed and JWE encrypted.
>
> This should be replaced by:
> The authorization request object MUST be either
> (a) JWS signed;
> (b) JWE encrypted (when secret keys are being used); or
> (c) JWS signed and JWE encrypted.
>
> That's acceptable. (Thanks for amending your proposal after several private
> exchanges.)
>
Secret is not a clear term to use. It should be JWE encrypted (when symmetric
keys are bing used)
The private part of a RSA keypair is also secret.
John B.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
