Hi Michael et al., Thanks for the document, it is an interesting read! I like the "Security Rationale" section in particular. Very useful!
In general, this seems to go into a similar direction as the FAPI 2.0 Baseline profile we are currently developing in the FAPI WG [1]. It might be worthwhile to compare the two. Some other points from a first read: (All page numbers as printed, not the PDF page count.) - Why is PKCE not mandatory for confidential clients? It provides a strong second layer of defense when authorization codes are stolen. - I found the description "front-end web server application" somewhat confusing (Section 2.1.1, p. 9) - The client runs on the server's backend, I assume? On the front-end (browser), it should be a public client. - In Section 3.7 (p. 22), the first and second paragraph seem to contradict each other. First one says "RECOMMENDED lifetimes", second one says "MUST have a valid lifetime no greater than one hour". - I was surprised that the Security BCP does not show up in Section 6. -Daniel [1] https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md Am 02.03.20 um 20:53 schrieb Peck, Michael A: > Hello all, > > For anyone who may be interested: MITRE, in support of the U.S. Government, > has developed tailored OAuth and OpenID Connect profiles for use in > enterprise environments. We have leveraged previous standards efforts (e.g. > work in the IETF and in the OpenID Foundation) and have detailed requirements > to use the standards in a secure and interoperable manner to address > enterprise environment use cases. > > These profiles should be considered informational as we seek feedback from > subject matter experts. We’re interested in working with standards bodies and > others to move these concepts forward. We welcome any comments and > suggestions at oauthoidcprofi...@groups.mitre.org . > > The profiles can be found at: > https://www.mitre.org/publications/technical-papers/enterprise-mission-tailored-oauth-20-and-openid-connect-profiles > > Michael Peck > The MITRE Corporation > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
