On 2018-02-12 20:03, PAVAN YADAV 16MCA1050 wrote:
How many resources can be connected to the resource server? Is there any limitation?

There is no limitation in the standards draft, you probably have some hardware limitations, but these are dependent on the specific device you are deploying the ACE framework on.

What is the max time limit for an access token for clien.

Again no limit in the draft. It's implementation dependent.
In my code I made that a unsigned long (i.e. up to 2^64-1 ms).

... but: This is just the implementation limit, since we are dealing with constrained environments, where tokens and the corresponding pop key can get stolen, keeping the lifetime short is probably a good idea in general.

What will be the bit size of Proof-of-Possession digital token and key?

The size of the token depends on several parameters:

1.) If it is a CWT or something else (e.g. just a reference)
2.) If it is a CWT: what kind of COSE wrapper it has
3.) If it is a CWT: what claims does the token contain

You will get the smallest token size by just using a reference (but then the RS needs to do introspection or know the tokens beforehand).

If you need a compact CWT, using some symmetric key wrapper (MAC or Encrypt) will help you, and minimizing the number of claims (perhaps you can have some default claims that all involved parties know beforehand, like e.g. the profile they are using).

As a ballpark number, I create some CWT's in my junit tests that are roughly 200 bytes large. They contain a lot of claims including a public key, so that's probably at the larger end of the scale.

Size of the key depends on how your are performing the proof-of-possession. If you e.g. use DTLS-PSK you would typically use a 128 bit AES key.

Hope that helps


Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51

Ace mailing list

Reply via email to