In going through and starting to map out how an implementation would work, I have started getting some questions.
1. What is the difference between scope and audience, and is there an expected way that these values would relate to a CoAP URI? From OAuth, I would have generally expected scope to identify one or more resources to be accessed. However, this document requires that an audience either be explicit or implicit and thus identifying things just by scope would not work. My basic expectation is that the scope and audience would normally be copied into the access token after doing grant evaluation. This means that we are looking at three different entities that need to be able to understand how things fields interact. >From my reading an audience could be anything from a host name to a full URI or even a group name depending on the application being processed. Is this correct? 2. When a cnf is sent as part of a request, are there any plans for the ability to do a POP as part of this being thought about? If not, is the expectation that one would only offer an asymmetric key in a cnf if it had already be provided to the AS? Jim _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
