[OAUTH-WG] HELP PLEASE!

Date: Thursday, March 2, 2017 08:28:31 PM Re: Pushing "OAuth 2.0 for Native Apps" to the IESG From: Jingkie Pied Subject: [OAUTH-WG] Alexey Melnikov's No Objection on draft-ietf-oauth-amr-values-06: (with COMMENT) Message-ID: <148838910290.7012.7881193315246042639.idtrac...@ietfa

Re: [OAUTH-WG] Conclusion of 'OAuth Security Topics' Call for Adoption

Great! On Mon, Feb 20, 2017 at 8:02 PM Hannes Tschofenig wrote: > Hi all, > > earlier this month we issued a call for adoption of the OAuth security > topics draft, see draft-lodderstedt-oauth-security-topics-00, and the > response was quite positive on the list (as well as during the last f2f >

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-device-flow-04.txt

Two little nits about endpoint naming: Section 2 defines "device endpoint", which is used in the document everywhere except the new metadata sections (section 4

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt

+1 Token binding is good, but there are infrastructures that cannot deploy it while they still need HoK in some manner. It could be a short term thing -- perhaps 3 years, but they have to do it now so... I have a question about the draft. In section 5.1, `key` is optional and when it is omitted,

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-pop-key-distribution-03.txt

The private key is encrypted to the client. If the attacker has the symmetric key then it would get the proof key. I prefer the client to always provide the key, however some people believe that mobile devices can't reliably create secure key, and it is better to have the server create the keypai

[OAUTH-WG] I-D Action: draft-ietf-oauth-native-apps-08.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Authorization Protocol of the IETF. Title : OAuth 2.0 for Native Apps Authors : William Denniss John Bradley Fil