Alright, this all sounds good without any changes, except: On Wed, Apr 14, 2021 at 12:18 AM Vittorio Bertocci < vittorio.berto...@auth0.com> wrote:
> > > (4) I presume it's important that any resouree server rejection of > the token > > should be constant-time. Is this somewhere in the RFC tree, or do we > need to > > explicitly say it here and/or in Security Considerations? > I am thinking of analogous descriptions in other specs and I don’t recall > mentions of that aspect, hence I assumed we didn’t have to specify it here > either. In particular, I glanced thru RFC6750 section 3, which this spec > specializes for the specific JWT AT scenario, and they don’t mention that > either. > IMO it would be good to add this here, especially if it isn't described elsewhere in the ecosystem. That said, I'm happy to defer to the Security AD as to whether this is an important addition.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
