Especially in light of the possibility of signed requests along the lines of
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-16, I believe that all the
ACE OAuth parameters should be registered as CWT claims. I'll repeat my
request, wearing my designated expert hat, that application-specific values not
be requested for registration in the one-byte ranges. The one-byte values
should be saved for claims that are likely to span multiple kinds of
applications.
-- Mike
-----Original Message-----
From: Ace <[email protected]> On Behalf Of Ludwig Seitz
Sent: Monday, August 27, 2018 11:44 PM
To: Samuel Erdtman <[email protected]>; Jim Schaad <[email protected]>
Cc: [email protected]
Subject: Re: [Ace] Parameter abbreviation number ranges for
draft-ietf-ace-oauth-authz
On 2018-08-27 18:39, Samuel Erdtman wrote:
> +1 on pushing up error_description and error_uri
>
> I think client_id might be worth keeping low since it is often used
> even when in combination with client_secret. See OAuth Mtls as an example.
> On Mon, 27 Aug 2018 at 18:20, Jim Schaad <[email protected]
> <mailto:[email protected]>> wrote:
>
Note that the 1 byte range is 0-23
Currently in the 1 byte uint range we have 20-23 left unused
We could start assigning negative integer values in the 1 byte range if needed.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
