Hi folks The cross-device security BCP contain several non-normative recommendations (should, may, recommended). We (the editors) are considering making some of these normative (SHOULD, MAY, RECOMMENDED) to give clearer guidance and emphasise the desirability of implementing certain mitigations. It will also help emphasise/encourage implementation choices (e.g. implement several mitigations to achieve defence-in-depth).
The idea is to make non-normative should, may and recommended statements that apply to mitigations that authorization servers and clients may implement. We are not thinking of introducing in MUSTs at this point. To make the discussion a little less abstract, we created a PR to show the changes we had in mind (see Capitalise SHOULD, MAY and RECOMMENDED where appropriate by PieterKas * Pull Request #75 * oauth-wg/oauth-cross-device-security (github.com)<https://github.com/oauth-wg/oauth-cross-device-security/pull/75>). Before making these changes, we wanted to get the perspective of other working group members: 1. Are there any concerns with adding normative requirements to the cross-device security BCP? 2. Are there any concerns with any of the proposed normative references in the PR (see Capitalise SHOULD, MAY and RECOMMENDED where appropriate by PieterKas * Pull Request #75 * oauth-wg/oauth-cross-device-security (github.com)<https://github.com/oauth-wg/oauth-cross-device-security/pull/75>)? Cheers Pieter
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth