from changing any elements conveyed within the CWT payload. Special
care has to be applied when carrying symmetric keys inside the CWT
since those not only require integrity protection but also
confidentiality protection.
Do we want to reiterate the common mechanisms for providing
confidentiality protection here, or just leave the existing text earlier
in the document to cover it?
Doesn't it say a few sentences before: "it is
necessary to apply data origin authentication and integrity
protection (via a keyed message digest or a digital signature)." ?
I would consider this to be enough.
That doesn't cover the confidentiality protection, specifically. (So it
seems the answer to my original question is still unclear, at least to me.)
Suggest we add a parenthesis like so: (e.g. by encrypting the cnf element as specified in section 3.3 or by encrypting the whole CWT as specified in [RFC8392])
From Ben's review and discussion:
That doesn't cover the confidentiality protection, specifically. (So it seems the answer to my original question is still unclear, at least to me.)