Oops, critical correction: i meant to say "WOULDN'T have used the same ticket". But I think it doesn't affect your point. :-)

Eve (from my iPad)

On Oct 29, 2015, at 4:27 AM, Andrew Hindle <andrew@hindleconsulting.com> wrote:

I'm happy with a wording change to 'any RPT'.  That language is neither forcibly singular, nor forcibly plural, which I think makes it better.

--&e

On Thu, Oct 29, 2015 at 5:18 AM, Eve Maler <eve@xmlgrrl.com> wrote:
Since we didn’t get to meet last week, we didn’t have a chance to discuss this issue synchronously as I’d hoped. James had brought this up to me:

https://github.com/KantaraInitiative/wg-uma/issues/229

In Core Sec 3.2.2 in draft V1.0.1...

https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#ticket-management

...it says...

"If the authorization server observes that a permission ticket is used by multiple different clients, it SHOULD attempt to revoke all RPTs already granted based on the compromised permission ticket."

However, wouldn't "all RPTs" amount to precisely a single RPT, if one was granted? If so, then it should simply say:

"If the authorization server observes that a permission ticket is used by multiple different clients, it SHOULD attempt to revoke any RPT already granted based on the compromised permission ticket.”

====

Do we count even RPTs issued when an RPT is turned in by the client and a new one is minted by the AS in response as all being “granted based on the compromised permission ticket”? I’m not sure that would make sense for the attack, though, since the multiple different clients would have actually USED the same ticket in that case. So it seems to me that replacing “all RPTs” with “any RPT” would still be accurate and also less confusing.

Thoughts?

        Eve

Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma



--
Andrew Hindle
Hindle Consulting Limited
+44 7966 136543


Hindle Consulting Limited is a company registered in England and Wales.  Company number: 8888564.
Registered office: Claremont House, Deans Court, Bicester, Oxfordshire OX26 6BW, UK.