FWIW…I was only responding to the question of making aud optional for bearer tokens.
The broader point is that regardless of token type, there is always an “aud” value — whether explicitly declared as a claim, or implicitly implied (e.g. through encryption so only the audience can consume it). Phil @independentid www.independentid.com phil.h...@oracle.com On Oct 17, 2014, at 10:25 AM, Pete Resnick <presn...@qti.qualcomm.com> wrote: > On 10/17/14 12:09 PM, Mike Jones wrote: >> >> This is the standard mitigation for a known set of actual attacks. We >> shouldn’t even consider making it optional. >> >> > > Do you mean you shouldn't consider making it optional for HoK? Again, making > it clear that the MUST applies only to bearer assertions, and that future > extensions for HoK might have different requirements, is all that is being > asked for here. > > pr > -- > Pete Resnick <http://www.qualcomm.com/~presnick/> > Qualcomm Technologies, Inc. - +1 (858)651-4478
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth