Hi Ludwig,
That's better, thanks.
Viele Grüße
Steffi
On 01/11/2019 02:09 PM, Ludwig Seitz wrote:
> Hi,
>
> I've merged Hannes' PR, fixed a typo and added a sentence as follows:
> =
> For self-contained tokens the RS MUST proces
On 18/12/2018 15:48, Stefanie Gerdes wrote:
Hi Hannes,
I think the text is much better now. Protecting the integrity of
self-contained tokens is not sufficient, however. The RS must not only
ascertain that the token is integrity-protected but also validate its
authenticity, i.e., that it stems f
Hi Hannes,
I think the text is much better now. Protecting the integrity of
self-contained tokens is not sufficient, however. The RS must not only
ascertain that the token is integrity-protected but also validate its
authenticity, i.e., that it stems from an authorized AS.
Viele Grüße
Steffi
___
On 15/12/2018 15:58, Hannes Tschofenig wrote:
Hi Steffi
I checked the text and the text is indeed confusing.
I have made an attempt to update it to address your comment. Here is the pull
request:
https://github.com/ace-wg/ace-oauth/pull/168
Let me know if you think I captured everything prope
-
From: Ace On Behalf Of Hannes Tschofenig
Sent: Freitag, 14. Dezember 2018 17:18
To: Stefanie Gerdes ; Ludwig Seitz ; Jim
Schaad ; ace@ietf.org
Subject: Re: [Ace] Token (In)Security
Hi Steffi,
I anticipate that the use of tokens with IoT devices works similar to OAuth
deployments today. As such
Schaad ;
ace@ietf.org
Subject: [Ace] Token (In)Security
Hi all,
as I understand the current proposal of the ACE framework, an attacker can send
an access token to the RS that only contains a scope and is not signed or
otherwise protected. Section 5.8.1.1 (titled verifying an access token) does
not
Hi all,
as I understand the current proposal of the ACE framework, an attacker
can send an access token to the RS that only contains a scope and is not
signed or otherwise protected. Section 5.8.1.1 (titled verifying an
access token) does not state that RS must check the authenticity of the
token,