This implies that the access token must have been signed with a vehicle-specific-key, as otherwise there is no mechanism for the "Gen2 Server" to know which vehicle the token gives access to. I assume that when a "Gen2 server" gets a request for something in vehicle 1234, then it must first check if the access token has been signed with the key for vehicle 1234. If the access token was signed by some other key, e.g. the key for vehicle 1235 then the request shall be rejected.
Would it as an alternative be allowed for an "Access Token Server" to issue access tokens with a specified VIN? With that approach the same (private) key could be used to sign all access tokens, and the "Gen2 Server" would use the same (public) key to authenticate all tokens, and then additionally compare the explicit VIN with the current request. If a new vehicle is enrolled, there is no need to push keys for the new vehicle to both "Access Token Server" and "Gen2 Server".
That could give higher flexibility for Gen2 Server implementations and deployments to decide how to handle authentication/authorization, depending on use-case they can restrict access to a specific vehicle either by signature or by explicit VIN.
To align this with issue #425 I suggest that the Access Token Server MUST include the VIN claim in the Access Token if it is present in the Access Grant Token.
As of today we require VIN for access grant tokens, but we do not support VIN for access tokens.
https://raw.githack.com/w3c/automotive/gh-pages/spec/VISSv2_Core.html#access-token
This implies that the access token must have been signed with a vehicle-specific-key, as otherwise there is no mechanism for the "Gen2 Server" to know which vehicle the token gives access to. I assume that when a "Gen2 server" gets a request for something in vehicle 1234, then it must first check if the access token has been signed with the key for vehicle 1234. If the access token was signed by some other key, e.g. the key for vehicle 1235 then the request shall be rejected.
Would it as an alternative be allowed for an "Access Token Server" to issue access tokens with a specified VIN? With that approach the same (private) key could be used to sign all access tokens, and the "Gen2 Server" would use the same (public) key to authenticate all tokens, and then additionally compare the explicit VIN with the current request. If a new vehicle is enrolled, there is no need to push keys for the new vehicle to both "Access Token Server" and "Gen2 Server".
That could give higher flexibility for Gen2 Server implementations and deployments to decide how to handle authentication/authorization, depending on use-case they can restrict access to a specific vehicle either by signature or by explicit VIN.