Hi Mike,
I've got some more comments on ยง 3.2 of your I-D.
paragraph 4: "Encrypting the token contents is another alternative ..."
How does token content encryption prevent the disclosure and abuse of a
token?
paragraph 5: "For those rare cases where the client is prevented from
observing
the contents of the token, token encryption has to be applied in
addition to the usage
of TLS protection"
How did you come to the conclusion these are _rare_ cases? The token is
used to
pass data between authorization server and resource server via the
client as a
intermediary. A self-contained token may contain a lot of user-specific
or service
provider internal information neither end-user nor authorization server
would like
to disclose to the client. Therefore, here at Deutsche Telekom we
encrypt token
contents per default.
paragraph 6: "To deal with token reuse, ... "
The "reuse" appears a bit misleading, isn't this paragraph talking about
capture/tap
and replay attacks?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
