On Tue, Jan 14, 2020 at 04:29:39PM -0500, George Aristy wrote: > Hello everyone. > > Is it possible to relax the requirement to sign the claims set if an > authenticated encryption mode with prior shared secrets is used? Eg. > https://tools.ietf.org/html/draft-madden-jose-ecdh-1pu-02. This would > reduce the size of the request object substantially.
It seems fairly late in the publication process to make such a change, since the properties provided by digital signature and AEAD tag are subtly different, and the key-management lifecycle needed to provide secure operation is different. That said, off the top of my head, I don't know of anything that would prevent this functionality from being specified as an extension to plain JAR. -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
