Hi Ludwig, That's better, thanks.
Viele Grüße Steffi On 01/11/2019 02:09 PM, Ludwig Seitz wrote: > Hi, > > I've merged Hannes' PR, fixed a typo and added a sentence as follows: > ===================================================================== > For self-contained tokens the RS MUST process the security protection of > the token first, as specified by the respective token format. ~snip~ > This MUST include a verification that security protection (and thus the > token) was generated by an AS that has the right to issue access tokens > for this RS. > ===================================================================== > > I have not extended this requirement to tokens passed as a reference, > since in that case the RS needs to do introspection at an authorized AS > anyways. It would thus not get the claims of a token issued by an > unauthorized AS, which would in turn lead to the token being discarded. > > Does that sound correct to you all? > > /Ludwig > _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace