> On Feb 18, 2019, at 15:59, Sebastian Echeverria <sechever...@sei.cmu.edu> > wrote: > > Hello, > > I have a short comment about error responses from an RS in > draft-ietf-ace-oauth-authz-21. More specifically, my question is about > section 5.8.2. In the second paragraph, it states “The response code MUST be > 4.01 (Unauthorized) in case the client has not performed the > proof-of-possession, or if RS has no valid access token for the client.” I am > assuming this means that if the client is trying to access a resource and > sending a pop key id that is not known by the RS, either because the RS has > never seen it or because it is associated to a token that has already been > removed from the RS, then this is how the RS should reply. > > If this is the case, I am a bit confused on how to implement this when using > the DTLS profile. When using this profile, a client will first try to > establish a DTLS session with the RS when accessing a resource. Once the > session is established, it will actually try to access the resource over that > DTLS connection. The pop key id to be used is sent when establishing the DTLS > connection in the DTLS handshake messages, but if the RS does not have a > key+token associated to that id for whatever reason, then it will cancel the > DTLS handshake. If the DTLS handshake is never completed, then the RS can’t > really send a reply at all, much less a 4.01 reply.
Actually, if the DTLS handshake fails, the client can’t even send the request, so the MUST doesn’t apply. (That is probably worth another sentence.) (Another question of course is if the DTLS handshake failure is sufficiently speaking for this case.) Grüße, Carsten > > Thanks, > > Sebastian Echeverria > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
