Hi Steffi, >> I also think that the client must be able to assume that RS' RPK that C >> receives from AS is also valid as long as the token, unless C has additional >> information. > > I would think that it is rather unlikely that the RS will change its > public/private key pair so quickly. Right?
> I don't really know what you mean with "quickly". Access tokens may be valid > for a long time, depending on the application scenario. Also, RS may already > have its RPK for a while at the time when AS generates the access token. RPKs > do not contain semantic information and C may not have additional information > about the RPK. Therefore, C must be able to assume that the RS' RPK is valid > as long as the access token. >From an AS point of view it would make sense to make sure they hand out >information to client that actually works. If the token is still valid while >the information about the RPK of the RS isn't then there may indeed be a >failure case. This isn't too bad since the client will then (hopefully) contact the AS again to get a new access token. We could nevertheless add a note saying that the operator of the AS needs to consider these cases and that the client should contact the AS again in an error situation. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
