The first recommendation from the final security audit:
While Receivers are mandated to validate
the audience value in SETs (due to [RFC7519, Section 4.1.3]), they are currently not required to
validate the audience value in stream configurations returned by a Transmitter, e.g., in a stream
creation response. Our Receiver model respects this and hence mostly ignores streams’ audience
values. For SET validation, our Receiver model instead compares the SET’s audience value against
an expected value based on the access token used by the Receiver when requesting creation of
the stream (since this is where the Transmitter is required to derive an audience value from the
Receiver’s authorization, see [15, Section 7]).
However, it is likely that implementers use the stream’s audience value to validate SETs against,
hence, we recommend to mandate Receivers-side validation of stream audience values.
The first recommendation from the final security audit:
While Receivers are mandated to validate the audience value in SETs (due to [RFC7519, Section 4.1.3]), they are currently not required to validate the audience value in stream configurations returned by a Transmitter, e.g., in a stream creation response. Our Receiver model respects this and hence mostly ignores streams’ audience values. For SET validation, our Receiver model instead compares the SET’s audience value against an expected value based on the access token used by the Receiver when requesting creation of the stream (since this is where the Transmitter is required to derive an audience value from the Receiver’s authorization, see [15, Section 7]). However, it is likely that implementers use the stream’s audience value to validate SETs against, hence, we recommend to mandate Receivers-side validation of stream audience values.