If you don't have an envelope, you don't have a standard way of looking at what the contents might be. It is like HTTP headers vs the body of the message. Fairly standard architectural practice that makes extensions easy instead of a hack.
There are many use cases where encryption is needed. People that need it are not participating in the WG now -- but the requirement was stated by numerous people at IIW a year ago when we presented WRAP. It is needed if you want higher LOA. A common envelope makes it much easier, and makes supporting alternative signing mechanisms easier to deploy without busting existing code. History has shown time and time again that near sighted architectural approaches lead to pain later when something needs to be changed or added. Of course, over architected approaches never get deployed. I see adding an envelope a nice balance where one does not need to have figured everything out, but there is an clear extension mechanism separated from the payload. On 2010-09-27, at 6:55 AM, David Recordon wrote: > I thought the discussion from June had most people not needing encryption and > an extra envelope. Given how Mike wrote this spec is seems like supporting > encryption with an extra envelope is possible, but shouldn't be required if > all you're doing is signing. > > On Sun, Sep 26, 2010 at 9:55 PM, Dick Hardt <dick.ha...@gmail.com> wrote: > Don't put the signature information in the token, put it in a separate > component (an envelope) that describes how the token is either signed or > encrypted. See discussion from June: > > http://www.ietf.org/mail-archive/web/oauth/current/msg03211.html > > > On 2010-09-26, at 9:20 PM, Mike Jones wrote: > >> I’d be open to a proposal for also supporting encryption. The draft was >> intended to be a starting point for productive discussion – not a finished >> product. >> >> Your thoughts? >> >> -- Mike >> >> From: Dick Hardt [mailto:dick.ha...@gmail.com] >> Sent: Sunday, September 26, 2010 9:17 PM >> To: Mike Jones >> Cc: oauth@ietf.org >> Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Specification Draft >> >> Did you intentionally decide not to support encrypting the token? >> >> On 2010-09-23, at 5:22 PM, Mike Jones wrote: >> >> >> Recognizing that there is substantial interest in representing sets of >> claims in JSON tokens, Yaron Goland and I have put together a draft JSON Web >> Token (JWT) spec for that purpose. >> >> To answer the obvious question, while this was produced independently of >> Dirk’s JSON token proposal, both of us agree that we should come up with a >> unified spec. Consider this an additional point in the possible design >> space from which to start discussions and drive consensus. (If you read the >> two proposals, I think you’ll find that there’s already a lot in common, >> which is great.) >> >> Thanks to those of you who have already given us feedback to improve the >> draft prior to this point. >> >> Cheers, >> -- Mike >> >> <jwt.html><jwt.xml>_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
