On 04/24/2012 07:10 AM, Mark Mcgloin wrote:
Michael Thomas<m...@mtcc.com> wrote on 24/04/2012 14:24:47:
The more I read this draft, the more borked I think its base assumptions
are. The client *is* one of the main threats. Full stop. A threat
document
should not be asking the adversary to play nice. Yet, 4.1.4 bullets 1 and
3 are doing exactly that again. If those are countermeasures, then so is
visualizing world peace.
Irrelevant - we are only discussing bullet 2
Barry: to the extent that your shepherd's review was to take into
account my last call comments which went unanswered, this was
part of my last call comments and obviously haven't been accounted
for. Removing useless countermeasures from this document was part
of what I asked for and I still ask for.
I remain very disturbed by the prickliness of adding text that point
out the shortcomings of oauth in embedded/app environments or
removing supposed mitigations that are not plausible. This is a
threat document, not a sales booster pamphlet.
Mike
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
