On 2020-01-13 22:01, Brian Campbell wrote:
Thanks for the updates Lugwig,
Section 6.6. does propose one mitigation for the unbounded memory growth
problem. However, it relies on the AS to do pretty specific things with
the content of other claims for it to even be possible for an RS to
perform the mitigation approach. Do you think, for interoperability, it
needs to be more prescriptive? Like maybe requiring the cti/jti claim
with specific content and characteristics when exi is present or
embedding/encoding that sequence number in the value of the exi itself
alongside the lifetime of the token.
This sounds like a reasonable requirement. I'm even inclined to make
that a MUST and not just a SHALL. Next update coming soon.
/Ludwig
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
