AD review: clarify use of confidentiality protection in Security Considerations

[LudwigSeitz]

From Ben's review and discussion:

from changing any elements conveyed within the CWT payload.  Special
care has to be applied when carrying symmetric keys inside the CWT
since those not only require integrity protection but also
confidentiality protection.

Do we want to reiterate the common mechanisms for providing confidentiality protection here, or just leave the existing text earlier in the document to cover it?

Doesn't it say a few sentences before: "it is necessary to apply data origin authentication and integrity protection (via a keyed message digest or a digital signature)." ?

I would consider this to be enough.

That doesn't cover the confidentiality protection, specifically. (So it seems the answer to my original question is still unclear, at least to me.)

[LudwigSeitz]

Suggest we add a parenthesis like so: (e.g. by encrypting the cnf element as specified in section 3.3 or by encrypting the whole CWT as specified in [RFC8392])

[erdtman]

Works for me!