1. Normative MUST/REQUIRED is fine in a BCP. 2. This is not the definitive list, but instead the best list of things that we have at this time. There will be more attacks, and more mitigations for those attacks.
— Justin > On Nov 6, 2019, at 3:16 PM, Jared Jennings <jaredljenni...@gmail.com> wrote: > > Hi, > > This is my first time reviewing a document or responding to the group. So, > with that introduction feel free to guide me along the way. > > Reading through the document, I had a few high-level questions first. I will > have more detailed comments later, once I know I'm on the right track and I > assume those comments I should just share with the mailing list? > > 1. Since the document is a "Best Practices" document, are the words "MUST" > and "REQUIRED" and other definitive terms? Would instead SHOULD and > RECOMMENDED be used? > > 2. Should other possible threats and vulnerabilities be included? Meaning, is > the list the definitive known list? > > Thanks! > -Jared > Skype:jaredljennings > Signal:+1 816.730.9540 > WhatsApp: +1 816.678.4152 > > > > On Wed, Nov 6, 2019 at 2:27 AM Hannes Tschofenig <hannes.tschofe...@arm.com > <mailto:hannes.tschofe...@arm.com>> wrote: > Hi all, > > this is a working group last call for "OAuth 2.0 Security Best Current > Practice". > > Here is the document: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13> > > Please send you comments to the OAuth mailing list by Nov. 27, 2019. > (We use a three week WGLC because of the IETF meeting.) > > Ciao > Hannes & Rifaat > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
