SECDIR review: Section 4 -- Confusing requirements for sign+encrypt

Section 4 defines the Request Object format and provides examples. The text here is a bit confusing. It seems to state that only integrity and authenticity are mandated by this specification; confidentiality is an optional feature. However, when discussing the use of encryption that does not provide authentication, the text says that a signature “should” (not SHOULD””) be applied. The text then says that “In this case, it [the token] MUST be signed then encrypted …” This combination of sentences is confusing and OUGHT  to be revised.

Comments (2)