On 2014-10-06, at 09:54, Mike Jones <michael.jo...@microsoft.com> wrote:
>> - 4.1.7: maybe worth adding that jti+iss being unique enough is not >> sufficient and >> jti alone has to meet that need. In >> X.509 the issuer/serial has the equivalent property so someone might assume >> sequential jti values starting at 0 are ok. > > Makes sense to add a warning of some kind along these lines. I think I know > the reasons you say that, but can you expand on that thought a bit before I > take a stab on writing this up? For instance, while normally true, I don't > think your observation is true if a relying party will only accept tokens > from a single issuer. So can someone remind me why jti needs to be unique globally, and not just per issuer? Grüße, Carsten _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
