Though you want to be careful with that as the asymmetric algs in JWE don't provide authentication of the sender.
On Thu, Jul 16, 2015 at 11:26 PM, Nat Sakimura <n-sakim...@nri.co.jp> wrote: > Hi Malla, > > > > Just to add one more thing: > > If you just want to “sign” for the sake of integrity protection, you > really do not need to do it as all the algs in JWE are integrity protected. > > > > -- > > Nat Sakimura <n-sakim...@nri.co.jp> > > Nomura Research Institute, Ltd. > > > > PLEASE READ: > > The information contained in this e-mail is confidential and intended for > the named recipient(s) only. > > If you are not an intended recipient of this e-mail, you are hereby > notified that any review, dissemination, distribution or duplication of > this message is strictly prohibited. If you have received this message in > error, please notify the sender immediately and delete your copy from your > system. > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *John Bradley > *Sent:* Friday, July 17, 2015 7:45 AM > *To:* Malla Simhachalam <mallasimhacha...@gmail.com> > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Nesting Signatures and Encryption JWT Tokens > > > > https://tools.ietf.org/html/rfc7519#section-11.2 > > > > It is in the JWT spec. You can do it both ways however you really need a > good reason not to sign then encrypt, and then after you have a good reason > you should still sign then encrypt because you probably have not considered > everything, > > > > There are probably some edge cases that are exceptions to the rule, but > they are rare. > > > > John B. > > > > > > On Jul 16, 2015, at 11:33 PM, Malla Simhachalam < > mallasimhacha...@gmail.com> wrote: > > > > Hi, > > I am looking at the spec > https://datatracker.ietf.org/doc/rfc7520/?include_text=1 for combining > JWS and JWE use case, I could not find it obvious that a JSON document > should be signed first and then encrypt or other way around.Are there any > recommendations one over the other? > > Thanks for help. > > Malla > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
