We're implementing transactional messaging in ACS, and have just set up the JWT Authentication in Adobe I/O. The way the encryption happens for the JWT seems strange to me, and I was wondering if anyone could help clarify this?
In any other 'normal' instances, like let's say an encrypted PGP file sent from a client to ACC, it is the client (the sender) who encrypts the file using a public key, and ACC (the recipient) who decrypts it using its private key.
With the Adobe I/O JWT exchange, it is the opposite : the client needs to encrypt it with a private key, and Adobe decrypts it with a public key. So we need to ask the client to generate a key pair and send us the public key, which is kind of strange. My client was asking about this behaviour, and I couldn't answer because it seems like the wrong logic to me too.
Can someone shed some light on this please? Every article I find on this topic says the same : "The public key is verified with the client and the private key used in the decryption process".