Hi Stephanie, Regarding the section that you quoted: "the client MUST be able to determine whether an AS has the authority to issue access tokens for a certain RS. This can for example be done through pre-configured lists, or through an online lookup mechanism that in turn also must be secured."
Assuming C has access to a function M letting it determine whether an AS has the authority to issue access tokens for a certain RS, this would certainly partly mitigate DoS attacks. The attack would be a DoS attack on C and M, but the attacker could not choose M. The problem is that: - if C has access to such a function M that can provide a link between AS and RS, the whole mechanism with sending the AS address in an error message seems completely redundant. - If C does not have access to such a function M, the mechanism with sending an address in a spoofable error message seems like a very dangerous attack vector for DDoS attacks. The only implementation of M that would make use of an error message would be if the error message contained something like sign(AS, RS), but this is something that is not discussed in the draft. Cheers, John _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace