> >> * Also in section 3.3.1: > >> > >> ... This > >> specification assumes that the access token is a PoP token as > >> described in [I-D.ietf-ace-oauth-authz] unless specifically stated > >> otherwise. > >> > >> I think "assumes ... unless" should be "MUST ... unless". > > > > My understanding is that this is just talking about the text in the > > document itself. But as far as I remember we always require PoP > > tokens, so this could just be removed. > > It gets simpler if you always require PoP tokens. Does it state that > normatively somewhere? > > The "unless" construct opens a can of worms about how things are to > work in that case.
Hmm, I didn't find a clear and unambiguous statement in a quick check. Similar language about "in this document the access token is assumed to be a PoP token unless specified otherwise" in the core framework document, draft-ietf-ace-oauth-authz. But that document uses "access token" some 130-odd times, and while I didn't see any mention of non-proof-of-possession in there, I may have missed one. (There is discussion of not using symmetric proof-of-possession keys in a group-audience context, which is supposed to mean use asymmetric proof of possesion keys in that case.) Assuming that I remember correctly (and the WG should correct me if I'm wrong), it might be easiest to change both this document and the core framework to flatly assert that PoP tokens are always required. [LS] I'm not convinced this would be a good resolution, as this will get us some pushback from the OAuth people, who want to be able to support use cases with bearer tokens (I'm Cc-ing Hannes for a more in-depth discussion). /Ludwig _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www.ietf.org/mailman/listinfo/gen-art
