Hello ACE,turns out -26 didn't cover one of the items in Ben's review, namely the question of using Client introspection to determine token expiration as a lower bound for key expiration. Since the whole issue of Client introspection was contentious between OAuth experts, we decided to remove the text describing that option. This still leaves us with the two other options, so the problem is still covered.
/Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
