Not all of us look at individual drafts, and thus I have not previously read this, but I did this morning and find that there are issues with the way the "code challenge" is specified as this requires pre negation of what/how that value was achieved and a large scale deployment that is almost impossible, if a JWK were used as the default this could eliminate some of the guess work and pre-negotiation work.
I don't think it's ready for WGLC as there has been no discussion yet. -----Original Message----- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, August 27, 2014 8:45 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on "Symmetric Proof of Possession for the OAuth Authorization Code Grant" Based on the reaction from a few I thought I should add a few words about this working group last call. There is no requirement to wait a specific timeframe after a document became a WG item to issue a working group last call. In this specific case, the document was around for a while and I didn't see a reason for not-finishing it as soon as possible. Additionally, since the document deals with a security vulnerability that is being exploited today I thought it might make sense to get the attention from the group to review it. Finally, it is also a fairly "simple" document (if there is something as simple in this working group). Ciao Hannes On 08/26/2014 09:32 PM, Hannes Tschofenig wrote: > Hi all, > > This is a Last Call for comments on the "Symmetric Proof of Possession > for the OAuth Authorization Code Grant" specification. > > The document can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-spop/ > > Please have your comments in no later than September 9th. > > Ciao > Hannes & Derek > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
