On Oct 7, 2014, at 1:29 AM, Mike Jones michael.jo...@microsoft.com wrote:
I propose that we add language about If both signing and encryption are
necessary in order to make the context of this advice clear. Would that
resolution be acceptable to you, Ted?
So you're saying that if signing
On Oct 7, 2014, at 10:57 AM, John Bradley ve7...@ve7jtb.com wrote:
The main reason for signing inside the encryption, tends to be legal in that
a signature over something you can't see is not considered enforceable most
places.
So if you are signing for non repudiation then inside the
Section 11.2 makes both points.
Encrypting and then signing is likely only a special case used by some
applications that are configured to understand what is going on.
If you are going to do it in that order you would want to be certain that you
don't accept a JWT that has no signature.
-Original Message-
From: Ted Lemon [mailto:ted.le...@nominum.com]
Sent: Tuesday, October 07, 2014 10:30 AM
To: John Bradley
Cc: The IESG; Mike Jones; draft-ietf-oauth-json-web-to...@tools.ietf.org;
oauth-cha...@tools.ietf.org; oauth@ietf.org
Subject: Re: Ted Lemon's No Objection on
Thank you, both! I'm glad to see this one resolved.
FYI - I'll be at the Grace Hopper Celebration through Friday evening and
may be slow to respond, but will be following along.
On Tue, Oct 7, 2014 at 9:06 PM, Mike Jones michael.jo...@microsoft.com
wrote:
-Original Message-
From:
On Oct 7, 2014, at 9:06 PM, Mike Jones michael.jo...@microsoft.com wrote:
I'll plan to take the action described yesterday that you said you were OK
with - adding language about If both signing and encryption are necessary
in order to make the context of this advice clear. I believe that
