Hi Ludwig,
Thanks for the quick reply! Both updates sound good and address my comments.
Francesca
On 25/03/2021, 08:22, "Seitz Ludwig" <ludwig.se...@combitech.se> wrote:
Hello Francesca,
Thank you for your review. I have some comments inline.
/Ludwig
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you for this document. A couple of minor comments below.
>
> Francesca
>
> 1. -----
>
> better symmetric keys than a constrained client. The AS MUST
> verify that the client really is in possession of the
> corresponding key. Values of this parameter follow the syntax and
>
> FP: I think it would have been helpful to give some details about how
this is
> done "by verifying the signature ..." or a reference to where this is
described.
>
I believe this would expand the scope of this document in a way I'd rather
leave to the profiles.
The AS can verify possession of a key in various ways, some of which may be
provided by the
security protocol used between the client and the AS, which in turn would
be defined in the profiles.
Would you be ok with the following addendum: "Profiles of [framework] using
this specification MUST define the proof-of-possession method used by the AS,
if they allow clients to request the use of asymmetric keys as
proof-of-possession key."?
> 2. -----
>
> parameters. An RS MUST reject a proof-of-possession using such a
> key.
>
> FP: Is any error message supposed to be sent in such a case?
I suggest to update to add a 4.00 (Bad Request) here.
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
