Torsten Lodderstedt

@JaceHensley Have you seen my last comment?

I would say, the current practice is ok as long as there are alternative counter measures in place, e.g. if the AS is sure the code is only released to...

RFC 3986 6.2.1. talks about "bit-for-bit" or "byte-for-byte" comparison, which means case sensitive matching. Is that what you want to state?

I'm understanding the attempt to come up with an abstract description of the flow, but I don't see a common denominator between client credential, code and refresh token. I suggest...

I'm in favor of retaining the RT but reduce its scope. The token response shall return the adjusted scope value. I don't see a value in revoking the RT in...

What part of the Security BCP are you referring to? I'm only aware of https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2.3, which refers to access tokens. In my opinion the meaning of the text in OAuth...

> I was wondering the same during its writing, I followed the related issue for its resolution. > > If confirmed I can move this PR to attestation-based client auth...

I'm in favor of incorporating OpenID Federation in HAIP as a modular extension to the existing key management mechanisms to manage trust. I'm hesitant to add it as another key...

yes we should discuss this. as far as I remember, we assumed scopes would be easier to use. From an interop standpoint, I think RAR is the more direct approach...

> Is it correct that the SD-JWT VC presentation is the "Verifiable Presentation" as expected in the vp_token property, so no extra 'wrapper' is needed around the derived sd vc...