I was responding to the structure question only. The token text is questionable sine the tokens are opaque to the core, seems like the token write-up better belongs in the threat model document. Developers of the various token specs and use this as guidance and reference it.
From: Brian Eaton [mailto:bea...@google.com] Sent: Thursday, July 07, 2011 10:59 AM To: Anthony Nadalin Cc: Eran Hammer-Lahav; oauth@ietf.org; Mark Mcgloin (mark.mcgl...@ie.ibm.com); Torsten Lodderstedt (tors...@lodderstedt.net); Phil Hunt (phil.h...@oracle.com) Subject: Re: [OAUTH-WG] security considerations - authorization tokens On Thu, Jul 7, 2011 at 10:49 AM, Anthony Nadalin <tony...@microsoft.com<mailto:tony...@microsoft.com>> wrote: When we constructed the current structure in Prague we thought that structure best fit the needs of a implementer, so my preference would be to keep it as it is now but, Torsten / Mark / Phil also may have feedback. Really? The current doc has *no guidelines* on how to implement authorization tokens whatsoever. So even if you like the current organization of the security considerations, I suspect you'll agree it would make sense to offer some guidance on how these tokens ought to be implemented.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth