Hello James,
I did only consider tokens indeed, instead of permission tickets. I am also not sure how that would work with the permission ticket.
For RPT and PAT OAuth2 tokens: I think bringing the option up may be useful. It is not a MUST of course.
I understand that the choice is left to the implementation which type of tokens to use etc.
--Cigdem
From:
James Phillpotts <james.phillpotts@forgerock.com>
Date: Tuesday, 18 October 2016 at 13:32
To: Cigdem Sengul <Cigdem.Sengul@nominet.uk>
Cc: "wg-uma@kantarainitiative.org WG" <wg-uma@kantarainitiative.org>
Subject: Re: [WG-UMA] Section 7 - Security considerations - bearer tokens
Hi Cigdem,
Is that for the PCT? The RPT and PAT are OAuth 2 tokens, so would be separately covered by the specs for OAuth 2 PoP, so I wouldn't have thought we need to say much about that. Not sure how PoP would work with the permission ticket.
Cheers,
James
On 18 October 2016 at 09:20, Cigdem Sengul <Cigdem.Sengul@nominet.uk> wrote:
Hello,
Eve suggested that I start the discussion about this in the list.
Regarding the security concerns about the bearer tokens in the draft, I was curious whether it is worth mentioning Proof-of-Possession (PoP) tokens.
In addition, RFC 6750 recommendations may also be referred to in the draft.
Thanks,
--Cigdem
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma