On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryle...@computer.org> wrote: > > > > > >> — Section 1.1 — > > >> Given the extensive discussion of impersonation here, what strikes me as > > >> missing is pointing out that impersonation here is still controlled, > > that “A is > > >> B” but only to the extent that’s allowed by the token. First, it might > > be > > >> limited by number of instances (one transaction only), by time of day > > (only for > > >> 10 minutes), and by scope (in regard to B’s address book, but not B’s > > email). > > >> Second, there is accountability: audit information still shows that the > > token > > >> authorized acting as B. Is that not worth clarifying? > > > > > > My initial response was going to be "sure, I'll add some bits in sec 1.1 > > along those lines to clarify > > > that." However, as I look again at that section for good opportunities > > to make such additions, I feel > > > like it is already said that impersonation is controlled. > > ... > > > So I think it already says that and I'm gonna have to flip it back and > > ask if you have concrete > > > suggestions for changes or additions that would say it more clearly or > > more to your liking? > > > > It is mentioned, true, and that might be enough. But given that Eve > > also replied that she would like more here, let me suggest something, > > the use of which is entirely optional -- take it, don't take it, > > modify it, riff on it, ignore it completely, as you think best. What > > do you think about changing the last sentence of the paragraph?: "For > > all intents and purposes, when A is impersonating B, A is B within the > > rights context authorized by the token, which could be limited in > > scope or time, or by a one-time-use restriction." > > > > Sure, I think that or some slight modification thereof can work just fine. > I'll do that and get it and the rest of these changes published when the > I-D submission embargo is lifted for Montreal.
My brain is apparntly storming and not sleeping. Another option for consideration, is to have two sentences: For all intents and purposes, when A is impersonating B, A is B within the rights context authorized by the token. A's ability to impersonate B could be limited in scope or time, or even with a one-time-use restriction, whether via the contents of the token or an out-of-band mechanism. -Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth