ciseng
commented
3 years ago [CS: Yes. This is written assuming a header JOSE/COSE associated with the token or, may have received as a result of introspection response. Will revise.]
Closed ciseng closed 2 years ago
ciseng
commented
3 years ago [CS: Yes. This is written assuming a header JOSE/COSE associated with the token or, may have received as a result of introspection response. Will revise.]
ciseng
commented
3 years ago clarified security protection is JOSE/COSE or via introspection result.
AD-Review: 05/08/2021 Action: Explain COSE/JOSE header; or introspection result.
Original draft: Validation of the signature or MAC MUST fail if the signature algorithm is set to "none", when the key used for the signature algorithm cannot be determined, or the computed and received signature/MAC do not match.
Comment: Where would the "none" appear? We haven't said anything about a COSE encoding for the signature or MAC value, or anything like that...I assumed it was going to be the "raw" output from the relevant primitive (EdDSA, HMAC, etc.).