On 18/12/2018 15:48, Stefanie Gerdes wrote:
Hi Hannes,
I think the text is much better now. Protecting the integrity of
self-contained tokens is not sufficient, however. The RS must not only
ascertain that the token is integrity-protected but also validate its
authenticity, i.e., that it stems from an authorized AS.
Viele Grüße
Steffi
Hi,
I've merged Hannes' PR, fixed a typo and added a sentence as follows:
=====================================================================
For self-contained tokens the RS MUST process the security protection of
the token first, as specified by the respective token format. ~snip~
This MUST include a verification that security protection (and thus the
token) was generated by an AS that has the right to issue access tokens
for this RS.
=====================================================================
I have not extended this requirement to tokens passed as a reference,
since in that case the RS needs to do introspection at an authorized AS
anyways. It would thus not get the claims of a token issued by an
unauthorized AS, which would in turn lead to the token being discarded.
Does that sound correct to you all?
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
