On Nov 2, 2023, at 18:11, Henk Birkholz <[email protected]> wrote: > >> access token verification
That term (and its variants) is the start of the problem. Of course you can validate an access token, then you know that you have a valid access token. But you also need to find out whether that access token actually authorizes access! Mixing up these two functions (one can be entirely in a library, the other needs application logic) is likely to be one of the biggest reasons for problems around using tokens. Developing developer-friendly terminology may not have been on our initial list of security topics, but we now know it needs to be done. (Now I have no idea why this note is in this thread.) Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
