Hi Ludwig, Thanks for the quick reply! Both updates sound good and address my comments.
Francesca On 25/03/2021, 08:22, "Seitz Ludwig" <ludwig.se...@combitech.se> wrote: Hello Francesca, Thank you for your review. I have some comments inline. /Ludwig > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for this document. A couple of minor comments below. > > Francesca > > 1. ----- > > better symmetric keys than a constrained client. The AS MUST > verify that the client really is in possession of the > corresponding key. Values of this parameter follow the syntax and > > FP: I think it would have been helpful to give some details about how this is > done "by verifying the signature ..." or a reference to where this is described. > I believe this would expand the scope of this document in a way I'd rather leave to the profiles. The AS can verify possession of a key in various ways, some of which may be provided by the security protocol used between the client and the AS, which in turn would be defined in the profiles. Would you be ok with the following addendum: "Profiles of [framework] using this specification MUST define the proof-of-possession method used by the AS, if they allow clients to request the use of asymmetric keys as proof-of-possession key."? > 2. ----- > > parameters. An RS MUST reject a proof-of-possession using such a > key. > > FP: Is any error message supposed to be sent in such a case? I suggest to update to add a 4.00 (Bad Request) here. _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace