On Thu, Apr 2, 2015 at 4:39 PM, John Bradley wrote:
> A given issuer may be allowed to sign using both ECDSA and RSA PKCS 1.5
> and that would not be a problem until one of them is deprecated.
> Having libraries assume that there can only be one alg per issuer would
> not lead to useful crypto ag
On Thu, Apr 2, 2015 at 2:42 PM, Mike Jones
wrote:
> This warning is already in place in
> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2.
> It says:
>
>Finally, note that it is an application decision which algorithms may
>be used in a given context. Even if a
