Re: [OAUTH-WG] AD review of draft-ietf-oauth-jwsreq

[John Bradley <ve7jtb@ve7jtb.com>]

Snip
> On Jan 3, 2017, at 2:36 PM, Nat Sakimura <sakimura@gmail.com> wrote:
> 
>  
> 
>  
> 2) On page 9 the text states:
> The authorization request object MUST be either
>    (a)  JWS signed; or
>    (b)  JWE encrypted; or
>    (c)  JWS signed and JWE encrypted.
>  
> This should be replaced by:
> The authorization request object MUST be either
>    (a)  JWS signed; 
>    (b)  JWE encrypted (when secret keys are being used); or
>    (c)  JWS signed and JWE encrypted.
> 
> That's acceptable. (Thanks for amending your proposal after several private exchanges.)  
> 


Secret is not a clear term to use.  It should be JWE encrypted (when symmetric keys are bing used)  
The private part of a RSA keypair is also secret.

John B.