Hello James, I did only consider tokens indeed, instead of permission tickets. I am also not sure how that would work with the permission ticket. For RPT and PAT OAuth2 tokens: I think bringing the option up may be useful. It is not a MUST of course. I understand that the choice is left to the implementation which type of tokens to use etc. --Cigdem From: James Phillpotts <james.phillpotts@forgerock.com> Date: Tuesday, 18 October 2016 at 13:32 To: Cigdem Sengul <Cigdem.Sengul@nominet.uk> Cc: "wg-uma@kantarainitiative.org WG" <wg-uma@kantarainitiative.org> Subject: Re: [WG-UMA] Section 7 - Security considerations - bearer tokens Hi Cigdem, Is that for the PCT? The RPT and PAT are OAuth 2 tokens, so would be separately covered by the specs for OAuth 2 PoP, so I wouldn't have thought we need to say much about that. Not sure how PoP would work with the permission ticket. Cheers, James On 18 October 2016 at 09:20, Cigdem Sengul <Cigdem.Sengul@nominet.uk<mailto:Cigdem.Sengul@nominet.uk>> wrote: Hello, Eve suggested that I start the discussion about this in the list. Regarding the security concerns about the bearer tokens in the draft, I was curious whether it is worth mentioning Proof-of-Possession (PoP) tokens. In addition, RFC 6750 recommendations may also be referred to in the draft. Thanks, --Cigdem _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org<mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma