>> and I trust the authors and responsible AD to do the right thing. > > I always endeavor to do the right thing.
You do; hence, the trust. :-) And thanks for the quick responses. >> — Section 1.1 — >> Given the extensive discussion of impersonation here, what strikes me as >> missing is pointing out that impersonation here is still controlled, that “A >> is >> B” but only to the extent that’s allowed by the token. First, it might be >> limited by number of instances (one transaction only), by time of day (only >> for >> 10 minutes), and by scope (in regard to B’s address book, but not B’s email). >> Second, there is accountability: audit information still shows that the token >> authorized acting as B. Is that not worth clarifying? > > My initial response was going to be "sure, I'll add some bits in sec 1.1 > along those lines to clarify > that." However, as I look again at that section for good opportunities to > make such additions, I feel > like it is already said that impersonation is controlled. ... > So I think it already says that and I'm gonna have to flip it back and ask if > you have concrete > suggestions for changes or additions that would say it more clearly or more > to your liking? It is mentioned, true, and that might be enough. But given that Eve also replied that she would like more here, let me suggest something, the use of which is entirely optional -- take it, don't take it, modify it, riff on it, ignore it completely, as you think best. What do you think about changing the last sentence of the paragraph?: "For all intents and purposes, when A is impersonating B, A is B within the rights context authorized by the token, which could be limited in scope or time, or by a one-time-use restriction." >> — Section 6 — >> Should “TLS” here have a citation and normative reference? > > I didn't include an explicit reference here because TLS is transitively > referenced by other > normative references (including 6749 of which this whole thing is an > extension) and TLS > is pretty widely recognized even without citation. ... > I'm happy to add a citation here but it does raise the question of what the > most appropriate > way to cite TLS is right now - 1.3, 1.2, or the BCP or some combination > thereof? I wondered the same thing, and you're also right that it might not need a reference in this document. I only even flagged it because it's the subject of a MUST. I'll leave it to the Sec ADs (who obviously didn't flag it themselves, so maybe they agree that it's not necessary). Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
