Yes, indeed. And when I wrote "acceptable", I meant "in principle", not verbatim ;-)
Nat -- PLEASE READ :This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail. From: OAuth [mailto:[email protected]] On Behalf Of John Bradley Sent: Wednesday, January 4, 2017 4:45 AM To: Nat Sakimura <[email protected]> Cc: [email protected] Subject: Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq Snip On Jan 3, 2017, at 2:36 PM, Nat Sakimura <[email protected] <mailto:[email protected]> > wrote: 2) On page 9 the text states: The authorization request object MUST be either (a) JWS signed; or (b) JWE encrypted; or (c) JWS signed and JWE encrypted. This should be replaced by: The authorization request object MUST be either (a) JWS signed; (b) JWE encrypted (when secret keys are being used); or (c) JWS signed and JWE encrypted. That's acceptable. (Thanks for amending your proposal after several private exchanges.) Secret is not a clear term to use. It should be JWE encrypted (when symmetric keys are bing used) The private part of a RSA keypair is also secret. John B.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
