Hi Ludwig, It might depend on what you mean by “client”, and what you mean by “choose”.
I’m going to assume we don’t want humans involved at any stage, since they are bad at choosing things. So I’m assuming “client” means some element on the device. The original concern may have been about a client device’s ability to generate reliably random values. The assumption may have been that the AS would generally have a better chance of accessing sufficient entropy in support of key generation, and possibly be harder to subvert? Just a thought. R > On 24 Aug 2017, at 20:00, [email protected] wrote: > > Send Ace mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/ace > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ace digest..." > Today's Topics: > > 1. Question about an issue in draft-ietf-ace-oauth-authz > (Ludwig Seitz) > > From: Ludwig Seitz <[email protected]> > Subject: [Ace] Question about an issue in draft-ietf-ace-oauth-authz > Date: 24 August 2017 at 10:03:49 GMT+1 > To: "[email protected]" <[email protected]> > > > Hello list, > > I've got a very specific question about an issue raised by Jim Schaad > (https://github.com/LudwigSeitz/ace-oauth/issues/98): > > Currently the draft RECOMMENDS to disallow the client from choosing a > specific symmetric key for proof-of-possession (i.e. we want the AS to > generate one) when interacting with the /token endpoint at the AS. > > I cannot remember why we specified it that way, so should we drop that > recommendation? > > > /Ludwig > > -- > Ludwig Seitz, PhD > Security Lab, RISE SICS > Phone +46(0)70-349 92 51 > > > > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
