Just a quick reply to two of your remarks: On 02/20/2016 09:49 AM, William Denniss wrote: > The security researcher documents are only informative references
I think they should be informative references since the motivate the reason for doing the work but there is nothing in these publications that raises interoperability concerns. I believe the solution documents need to be descriptive enough that they explain the threats so that a reader who does not read through the informative reference section still understands what's going on. > For my own knowledge: what are some of the use-cases that are subject > to these attacks? I'm not convinced every RP that talks to more than > 1 AS is at risk today. What are some risky situations that exist > which are mitigated by this draft? This is something I criticized in my review as well. IMHO the documents could do a better job in describing the threats and particularly the assumptions that need to hold in order for the attacks to work. Without those it will be difficult to inform readers when this is a concern and what level of risk this represents. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth