Hi Brian, your text is definitely a valuable contribution. Please note: your earlier text on OAuth security considerations has already been incorporated into the security document.
I would suggest to first incorporate your new text there (probably together with your proposal regarding redirect uri validation). Afterwards we can decide what we really need in the core spec's sec considerations section. When we wrote the first draft of this section, we intended to keep it focused on the essential MUSTs to be considered by implementors (client, as, rs). Otherwise we will blow up this section to much and none will read it. I would prefer to keep it that way. Does this sound reasonable for you? regards, Torsten. Brian Eaton <bea...@google.com> schrieb: >On Thu, Jul 7, 2011 at 11:08 AM, Anthony Nadalin ><tony...@microsoft.com>wrote: > >> I was responding to the structure question only. The token text is >> questionable sine the tokens are opaque to the core, seems like the >token >> write-up better belongs in the threat model document. Developers of >the >> various token specs and use this as guidance and reference it. >> > >OK, leaving aside the question of where the token text should end up, >is the >text I sent technically correct and useful? > >> >The proposed text is here: >http://www.ietf.org/mail-archive/web/oauth/current/msg06362.html.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth