I believe the consensus in the room at the F2F was to document 2, but make sure that it is not done in a way which would forbid 1 in the future. That is the default should be 2 but a future document/solution should be able to say how 1 could be done in the future.
Jim > -----Original Message----- > From: Ace <[email protected]> On Behalf Of Ludwig Seitz > Sent: Friday, November 23, 2018 2:34 AM > To: [email protected] > Subject: Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf- > ace-params > > On 23/11/2018 11:31, Ludwig Seitz wrote: > > Hello ACE, > > > > I have now addressed all WGLC comments (Jim Schaad's, Mike Jones' and > > Stefanie Gerdes') except for this one: > > > > "Do we need to write something about how a RS should handle the > > presence of multiple tokens for the same client? Perhaps a security > consideration? > > > > I see two options: > > > > 1. Multiple tokens complement themselves i.e. if token A gives you > > right > > R1 and token B right R2 then you have R1+R2. > > > > 2. The newer token always overwrites the old one, which means if you > > want to extend your access rights as a client, when you already have A > > -> R1 you need to ask the AS for B*->R1+R2. > > " > > (see https://github.com/ace-wg/ace-oauth/issues/147). > > > > > > AFAIK the common usage in OAuth is option 2, however Jim has pointed > > out use cases for option 1 and refers to it in > > https://datatracker.ietf.org/doc/draft-schaad-cnf-cwt-id/ > > > > > > Jim has expressed a preference for 1. while Olaf has (in the Jabber at > > IETF 103) expressed a preference for 2. > > > > I would need some guidance from the WG on how to proceed here. > > > > /Ludwig > > > > Btw. I haven't uploaded a new draft yet. Please use the editor's copy and the > diff here: https://github.com/ace-wg/ace-oauth and here: > https://github.com/ace-wg/ace-oauth-params > /Ludwig > > -- > Ludwig Seitz, PhD > Security Lab, RISE > Phone +46(0)70-349 92 51 > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
