openid / connect / issues / #344 - Messages - Rationale for signing and encryption order needed

Issue #344 resolved

Michael Jones created an issue 2011-11-20

The spec currently says “When the message is both signed and encrypted, it MUST be signed first then encrypted.” Rationale for this order should be added to the spec.

Comments (5)

Nat Sakimura
- marked as enhancement
Noted.

This is a spec. and not whitepaper.

For people who has been working on dsig, it is obvious that otherwise it is not legally viable. Think of the case where encrypting the content with the receiver's public key first then signing over it. It is signing what the signer cannot see the content of. Thus, it is invalid as a digital signature. (It is only valid as MAC/Integrity).
- 2011-11-21T06:12:42+00:00
Michael Jones reporter
I'm fine with this being addresses with a line in the Security Considerations section.
- 2011-11-21T09:49:10+00:00
Nat Sakimura
- assigned issue to
  
  John Bradley
- changed status to open
Add some explanation text right after the original clause.
- 2011-11-21T23:56:08+00:00
John Bradley
- changed status to resolved
Fix ~~#344~~ Messages - Rational for signing then encrypting added to security

→ cb0a91de1a53
- 2011-11-26T15:47:55+00:00
John Bradley
I added it to Security Considerations and referenced it, as it was in several places.
- 2011-11-26T15:49:38+00:00
Log in to comment

Assignee: John Bradley

Type: enhancement

Priority: minor

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0