Missing clarity about JWS requirement

IHE / ITI.IUA

ITI Domain - Internet User Authorization (IUA) profile

Creative Commons Attribution 4.0 International

2 stars 4 forks source link

Missing clarity about JWS requirement #90

Open qligier opened 1 year ago

qligier commented 1 year ago

Section Number 3.71.4.2.2.1

Issue It is unclear whether JWT shall be or may be signed. The profile says JWT token shall be signed as specified in JSON Web Signature [RFC7515], which would require the use of JWS, but the next sentence starts with If signed. The first sentence could then be understood as "If signed, one must follow RFC7515" (i.e. a restriction on the signature method, and not an unconditional requirement).

Proposed Change N/A

Priority: N/A

JohnMoehrke commented 10 months ago

Martin, can you review and comment?

msmock commented 10 months ago

I agree. We should remove the "If signed" phrase from the sentence. This is not a functional change, so I guess we don't need a ballot.

JohnMoehrke commented 10 months ago

excellent, please submit a pull-request. We can review during a meeting and approve if the committee also sees it as a technical correction.