Hi Steffi,
>> I also think that the client must be able to assume that RS' RPK that C
>> receives from AS is also valid as long as the token, unless C has additional
>> information.
>
> I would think that it is rather unlikely that the RS will change its
> public/private key pair so quickly.
Hi Steffi,
> In OAuth, the expires_in field is usually used to inform the client how long
> the access token is valid. If the client uses the access token in a request
> after the token expired, the RS will reject the request, which usually is not
> a big problem for the client.
> In ACE, AS
Hi Hannes,
I think the text is much better now. Protecting the integrity of
self-contained tokens is not sufficient, however. The RS must not only
ascertain that the token is integrity-protected but also validate its
authenticity, i.e., that it stems from an authorized AS.
Viele Grüße
Steffi
Hi Hannes,
On 12/15/2018 04:04 PM, Hannes Tschofenig wrote:
> Hi Steffi,
>
> ~snip~
>
>
>> I also think that the client must be able to assume that RS' RPK that C
>> receives from AS is also valid as long as the token, unless C has additional
>> information.
>
> I would think that it is
Hi Hannes,
On 12/18/2018 02:51 PM, Hannes Tschofenig wrote:
> ~snip~
>
>
> Now that I got a response from the OAuth working group (in the sense that I
> was thinking about the claims in the access token rather than the parameters
> in the response from the AS) I think checking the expires_in
On 18/12/2018 14:51, Hannes Tschofenig wrote:
Hi Steffi, Hi Ludwig,
~snip~
The access information optionally can contain an expires_in
field. It would help to prevent security breaches under the
following conditions:
1. the keying material is valid as long as the ticket, 2. the
expires_in
Hi Steffi, Hi Ludwig,
~snip~
>> The access information optionally can contain an expires_in field.
>> It would help to prevent security breaches under the following
>> conditions:
> 1. the keying material is valid as long as the ticket, 2. the
> expires_in field is present in the access
Hi Ludwig,
A few remarks inline:
-Original Message-
From: Ludwig Seitz
Sent: Dienstag, 18. Dezember 2018 09:27
To: Hannes Tschofenig ; Stefanie Gerdes
; Jim Schaad ; ace@ietf.org
Subject: Re: [Ace] Security of the Communication Between C and RS
On 15/12/2018 16:04, Hannes Tschofenig
On 15/12/2018 16:04, Hannes Tschofenig wrote:
Hi Steffi,
~snip~
I really think you should point out that symmetric keying material
that the AS provides to the client is valid as long as the token.
I think that's a useful recommendation. I do, however, believe that
we are not making the same
On 15/12/2018 15:58, Hannes Tschofenig wrote:
Hi Steffi
I checked the text and the text is indeed confusing.
I have made an attempt to update it to address your comment. Here is the pull
request:
https://github.com/ace-wg/ace-oauth/pull/168
Let me know if you think I captured everything
10 matches
Mail list logo