Inconsistency on the need to sign the request object
Issue #69
resolved
These two statements below appear to be inconsistent?
<t>The authorization request object MUST be one of the following: </t>
<t><list style="format (%c)">
<t>JWS signed </t>
<t>JWE encrypted (when symmetric keys are being used)</t>
<t>JWS signed and JWE encrypted</t>
</list></t>
<t>
Unless the access to the <spanx style="verb">request_uri</spanx>
over TLS provides adequate authentication of the source of
the Request Object, the Request Object MUST be JWS Signed.
</t>
Comments (2)
-
reporter -
repo owner - changed status to resolved
fixed
#69→ <<cset fa8eb3fa8e88>>
- Log in to comment
The implication of the 2nd point is that the request object doesn't need to be signed if the AS trusts the client identity from the TLS Cert.
I suggest either:
or