laurencelundblade
commented
1 year ago The DLOA download is made by the Verifier or RP. Can't think of why that would be SHOULD NOT for them.
Closed laurencelundblade closed 1 year ago
laurencelundblade
commented
1 year ago The DLOA download is made by the Verifier or RP. Can't think of why that would be SHOULD NOT for them.
carl-wallace
commented
1 year ago OK. Then probably worth mentioning that the consumer of the claim MAY be able to mutually authenticate to the resource to obtain the DLOA.
laurencelundblade
commented
1 year ago TLS server authentication here is so that the Verifier knows the DLOA is authentic. That's really important so we're just mentioning it so thoughtful readers will have that question answered without going to the DLOA document. The actual requirement comes from DLOA.
I don't think we need to mention client auth here one way or the other. It's not critical to the security of the DLOA and the DLOA document covers it. (The TLS client authentication here is in case the DLOA registrar wishes to restrict who can see DLOAs or a particular DLOA. Since many products that might have DLOAs proudly publish there certifications in the product literature, this doesn't seem important to mention. It is discussed in the DLOA document)
I think the text is fine as is.
carl-wallace
commented
1 year ago OK
This is to address AD review comment.
(I had to review the DLOAs document myself to be sure all was well. It was. This is only describes how the security is achieved. No change).