-
assigned issue to
SECDIR review: Section 4 -- Confusing requirements for sign+encrypt
Issue #24
resolved
Section 4 defines the Request Object format and provides examples. The text here is a bit confusing. It seems to state that only integrity and authenticity are mandated by this specification; confidentiality is an optional feature. However, when discussing the use of encryption that does not provide authentication, the text says that a signature “should” (not SHOULD””) be applied. The text then says that “In this case, it [the token] MUST be signed then encrypted …” This combination of sentences is confusing and OUGHT to be revised.
Comments (2)
-
reporter -
reporter - changed status to resolved
Fixed
#24.→ <<cset 836977d68f91>>
- Log in to comment