I have reviewed the Transaction Token document. In general I think it is a needed document and I am glad there is work in this area. I have some questions and comments below:
1. Section 4 defines Trust Domain and seems to point to RFC 7519. I couldn't find any reference to trust domain in 7519. 2. Why would you not include a kid claim? it seems that key rotation should be supported. Is there harm in requiring a kid? 3. From the text, I don't really understand what the purp: claim is for. 4. One of the things I expected to see in some txn-tokens is a username/email, but I did not see that in any examples, while there are privacy considerations here, is there a reason why it is not included? Would this be in the rctx: or the azd: claim? It not clear when I would use azd or rctx for a particular data value. 5. As discussed on the list I think there may be cases where there will not be an Oauth token to exchange. THe decision is that this is out of scope for this document, but the case should probably be mentioned. 6. Is it intended that a single transaction token service endpoint can serve more than one trust domain? (it seems like the protocol supports, but I am not sure if it is a design goal). 7. For a replacement token 7.4 it says the replacement may not change the rctx, but does not say anything about the azd. In section 5.2 it says that azd: remains immutable during the call chain. It seems that these two things do not line up and the replacement token needs something to change. Perhaps azd is not immutable? What are the asserted values that may change referred to in 7.4.1. 8. Section 7.5 is referring to OAUTH client authentication? Should it refer to RFC 8705 for mTLS/SPIFFE case? 9. Section 9.1 it probably should be mentioned earlier in the document that a transaction token cannot be issued based on a refresh token. Once again, thanks for your work on this document, I think it will be very useful. Joe
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
