|
Hello Elwyn, Sorry for being a pain. I have one more comment. /Ludwig (now finally from the corporate account) From: elwynd <elwynd@xxxxxxxxxxxx>
Hi, Ludwig. Having had another look at section 3.1 of draft-ietf-ace-cwt-proof-of-possession, technically the rules about which keys have to be present are not part of the syntax of the cnf claim. The point can be covered by changing '"syntax of the
'cnf' claim" to "syntax and semantics of the 'cnf' claim" in each case. [LS] Ok. Will do. However, the second look threw up another point: Figure 2 in s3.2 gives a Symetric key example - I think this should use an Encrypted_COSE_Key (or Encrypted_COSE_Key0) as described in section 3.3 of draft-ietf-ace-cwt-proof-of-possession. [LS] Figure 2 in 3.2 gives an example of a AS response to a client requesting an access token. As per the requirements from draft-ietf-ace-oauth-authz, this communication
MUST be confidentiality protected, therefore it is unnecessary to additionally encrypt the COSE_Key.
The provisions in 3.3 of draft-ietf-ace-cwt-proof-of-possession are for access tokens in CWT format, containing a symmetric key, that are not encrypted themselves
(i.e. only MAC:ed or signed). Otherwise I think we are done. Eventually we will get to Christmas! [LS] I promise to leave it be over the holidays. |
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
