> On Aug 15, 2023, at 11:40 AM, Rodrigo Speller
> wrote:
>
> So, during the flight, I reflected on Matthias' insistence: "What could we be
> missing?" Brilliantly, I think Matthias raised a very important and fixable
> point: “That the user MUST allow the connection on both sides on the
Hi Rodrigo,
I fully agree to all your points. You totally got my points and concerns
and as far as I understood your explanations, that's exactly what I was
pointing to as addition to the protocol instead of letting all further
protocols that my evolve in the future implement such validation
Arguably the client can't revoke the token. It can request to revoke the
token and then the decision of whether it is revoked is only on the AS. A
client considering a token revoked has no merit on the value of the *active
*flag.
For full context, this is the section:
I don’t think it’s necessary to enumerate all of the possible parties that
could have had a hand in revoking the token — it have also been revoked by the
AS through some backend process or through administrative action. If a token is
revoked, it’s revoked — and the RS doesn’t generally care why