Re: [OAUTH-WG] Security Considerations Section Proposal

Thu, 31 Mar 2011 08:50:09 -0700

I just uploaded a revised version incorporating most comments we gathered today. 

http://tools.ietf.org/html/draft-lodderstedt-oauth-securityconsiderations-01

regards,
Torsten.
Am 31.03.2011 12:08, schrieb Torsten Lodderstedt:

Hi all,
I just uploaded a proposal for the security section of the core spec to the IETF site (http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-securityconsiderations/).
As posted on the list previously, our idea was first to derive a security consideration section for the core spec by cutting down http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-security/ to a reasonable size. We tried to go through the document and identify the pieces that should go into the spec in the informal OAuth security session here at IETF-80. Although we did not make it further than 4.1.3, the meeting turned out to be valuable since we agreed on certain principles we are expected to apply when producing the section: - focus on service provider and application developers perspective (and the protocol implementation) - document the "what" and not the "why" - for "why" include informative reference to security document - explicitely state don'ts and explicitely define and distinguish three client categories (web, native, JavaScript) For example we had a really lengthy discussion about native apps, client secrets and client authentication - bottom line: we just state "Authorization server MUST NOT issue client secrets to installed or JavaScript applications."
Moreover, we agreed to produce a security considerations section as concise as possible and as quickly as possible. There were objections in the room to "just" cut down our document. Instead the proposal was to start something new.
So the proposed text focus on the "WHAT" and references http://datatracker.ietf.org/doc/draft-lodderstedt-oauth-security/ for a discussion of the "WHY". 

Your feedback is appreciated.

regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to