Hi Hannes, I think the text is much better now. Protecting the integrity of self-contained tokens is not sufficient, however. The RS must not only ascertain that the token is integrity-protected but also validate its authenticity, i.e., that it stems from an authorized AS.
Viele Grüße Steffi _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace