Hello ACE,
I have now addressed all WGLC comments (Jim Schaad's, Mike Jones' and
Stefanie Gerdes') except for this one:
"Do we need to write something about how a RS should handle the presence
of multiple tokens for the same client? Perhaps a security consideration?
I see two options:
1. Multiple tokens complement themselves i.e. if token A gives you right
R1 and token B right R2 then you have R1+R2.
2. The newer token always overwrites the old one, which means if you
want to extend your access rights as a client, when you already have A
-> R1 you need to ask the AS for B*->R1+R2.
"
(see https://github.com/ace-wg/ace-oauth/issues/147).
AFAIK the common usage in OAuth is option 2, however Jim has pointed out
use cases for option 1 and refers to it in
https://datatracker.ietf.org/doc/draft-schaad-cnf-cwt-id/
Jim has expressed a preference for 1. while Olaf has (in the Jabber at
IETF 103) expressed a preference for 2.
I would need some guidance from the WG on how to proceed here.
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace