Hello ACE, As a follow-up on a discussion between the authors and the Gen-ART Last Call reviewer we have the following issue I'd like to bring to the list to give you the occasion to comment on our proposed solution:
> * In the previously mentioned paragraph in 3.3.1: > > ... This > specification assumes that the access token is a PoP token as > described in [I-D.ietf-ace-oauth-authz] unless specifically stated > otherwise. > > The "unless specifically stated otherwise" is too vague to be normative. > How would the alternative be indicated? Is this an escape hatch for future > extensions? If so, it needs more work to make that clear and to open a path > for that > future work. In response, Ben Kaduk suggested to make PoP tokens mandatory in both the framework and the profiles. I objected saying that there may be legitimate use cases for bearer tokens in ACE. Steffi made the following suggestion, which both Ben and me think is the best way forward: > Since no alternatives to PoP tokens are mentioned in the DTLS profile, I > would change this to: "This specification implements access tokens as > proof-of-possession > tokens". > > Maybe the framework may add that a profile that uses a different token type > must specify how this would work. If you disagree with this approach please join the discussion. Regards, Ludwig -- Ludwig Seitz Infrastructure Security Analyst Combitech AB _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace