: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
https://tools.ietf.org/html/rfc7519#section-11.2
https://tools.ietf.org/html/rfc7519#section-11.2
It is in the JWT spec. You can do it both ways however you really need a
good reason not to sign then encrypt
:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *John Bradley
*Sent:* Friday, July 17, 2015 7:45 AM
*To:* Malla Simhachalam mallasimhacha...@gmail.com
*Cc:* oauth@ietf.org
*Subject:* Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
https://tools.ietf.org/html/rfc7519#section
Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
https://tools.ietf.org/html/rfc7519#section-11.2
It is in the JWT spec. You can do it both ways however you really need a
good reason not to sign then encrypt, and then after you have a good reason
you should still sign
...@gmail.commailto:mallasimhacha...@gmail.com
Cc: oauth@ietf.orgmailto:oauth@ietf.org
Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
https://tools.ietf.org/html/rfc7519#section-11.2https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2frfc7519%23section-11.2data=01%7c01
,
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley
Sent: Friday, July 17, 2015 7:02 AM
To: Brian Campbell
Cc: oauth
Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
They provide integrity protection for the encryption
That’s what test vectors and interop testing are for!
From: Justin Richer [mailto:jric...@mit.edu]
Sent: Friday, July 17, 2015 10:38 AM
To: Mike Jones
Cc: John Bradley; Brian Campbell; oauth@ietf.org
Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
Unless you’re implementing
.
Cheers,
-- Mike
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley
Sent: Friday, July 17, 2015 7:02 AM
To: Brian Campbell
Cc: oauth
Subject: Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens
https://tools.ietf.org/html/rfc7519#section-11.2
https://tools.ietf.org/html/rfc7519#section-11.2
It is in the JWT spec. You can do it both ways however you really need a good
reason not to sign then encrypt, and then after you have a good reason you
should still sign then encrypt because
Hi,
I am looking at the spec
https://datatracker.ietf.org/doc/rfc7520/?include_text=1 for combining JWS
and JWE use case, I could not find it obvious that a JSON document should
be signed first and then encrypt or other way around.Are there any
recommendations one over the other?
Thanks for