On 2018-06-22 15:36, Hannes Tschofenig wrote:
Hi Jim,
I would like to comment on this issue.
-----
14. I have real problems w/ the use of a KID for POP identification. It
may
identify the wrong key or, if used for granting access, may have problems
w/
identity collisions. These need to be spelt out someplace to help people
tracking down questions of why can't I verify w/ this CWT, I know it's
right.
I just wanted to note that we inherited that issue from RFC 7800, does
someone recall what the security considerations were in that case?
Perhaps a variant of Hannes' text comes closer to what Jim is looking for:
"
- Operational Considerations
....
When an issuer creates a CWT containing a key id claim, it is not
acceptable to issue another CWT containing the same key id, unless they
both are for the same subject and for the same audience (e.g. providing
additional privileges for the subject).
"
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
