Hi Olaf, Right! Somehow I managed to miss the « response » from the « access token response ».
Thanks for the answers, it all looks good to me and ready to ship. Francesca On 8 June 2021 at 11:59:19 CEST, Olaf Bergmann <bergm...@tzi.org> wrote: Hi Francesca, On 2021-06-08, Francesca Palombini <francesca.palomb...@ericsson.com> wrote: > My turn to apologize for the late reply :) I went through the comment > again and I believe I must have misread something. I am ok with the > current text, or the previous one as well, if you'd rather not add > this sentence. Thanks for the followup — we have kept the new text in version -18. > I do have one additional comment, which came out while looking this over > again - about the following text: > > correct public key in the DTLS handshake. If the authorization > server has specified a "cnf" field in the access token response, the > client MUST use this key. Otherwise, the client MUST use the public > > The access token is opaque to the client (as defined the ace > framework), so the client is not necessarily able to read and extract > the key it is supposed to use from it. If I am not mistaken, the > correct way for the AS to tell the client what key to use would be to > use the "cnf" field defined in Section 3.2 of oauth-params. You are correct. That is basically what this text says (= if the AS has provided the cnf in its response, the client has to use it). Grüße Olaf
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace