SECDIR review: Section 6 -- authentication and integrity need not be provided if the requestor encrypts the token?
Issue #25
resolved
Section 6 describes how to validate a received JWT request token. Section 6.1 appears to not mandate use of a signature for an encrypted token, suggesting that authentication and integrity need not be provided if the requestor encrypts the token (and does not employ an authenticated encryption algorithm).
Comments (4)
-
reporter -
reporter -
assigned issue to
-
assigned issue to
-
reporter Some comments:
All JWE algorithms are integrity protecting. We also mandate JWS unless JWE uses symmetric key. It was clarified through Denis Pinkas (DP) comments, so I gather this is a Dup of the DP comment. Shall I close this as Dup?
-
reporter - changed status to resolved
fixed
#25→ <<cset 94c7d498d4c7>>
- Log in to comment
The relevant sentence probably is:
Perhaps we might want to add a sentence or two.