Since we didn’t get to meet last week, we didn’t have a chance to discuss this issue synchronously as I’d hoped. James had brought this up to me: https://github.com/KantaraInitiative/wg-uma/issues/229 In Core Sec 3.2.2 in draft V1.0.1... https://docs.kantarainitiative.org/uma/draft-uma-core-v1_0_1.html#ticket-man... ...it says... "If the authorization server observes that a permission ticket is used by multiple different clients, it SHOULD attempt to revoke all RPTs already granted based on the compromised permission ticket." However, wouldn't "all RPTs" amount to precisely a single RPT, if one was granted? If so, then it should simply say: "If the authorization server observes that a permission ticket is used by multiple different clients, it SHOULD attempt to revoke any RPT already granted based on the compromised permission ticket.” ==== Do we count even RPTs issued when an RPT is turned in by the client and a new one is minted by the AS in response as all being “granted based on the compromised permission ticket”? I’m not sure that would make sense for the attack, though, since the multiple different clients would have actually USED the same ticket in that case. So it seems to me that replacing “all RPTs” with “any RPT” would still be accurate and also less confusing. Thoughts? Eve Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com