Hi Dmitry,
You have described a scheme with built-in "spy by design" opportunities,
where the AS will be in a position to play the role of "Big Brother".
If you follow a "privacy by design" approach, you will end up with a
different architecture.
“If the only tool you have is a hammer, you te
On 14 Jun 2024, at 02:48, Dmitry Telegin
wrote:
>
> Let's take the following (very common) scenario:
> * A user logs into the system;
> * They request an operation that might require additional confirmation from
> the user, at the system's discretion. The most common example would be
> payment
I support people who only want to do offline validation of the issuer
domains.
I support extensions as well, to not force people to believe that subject's
identity and cryptographic material attestation alone are sufficient (at
list in the cases where they should not according to the trust framewor
The IESG has approved the following document:
- 'OAuth 2.0 Security Best Current Practice'
(draft-ietf-oauth-security-topics-29.txt) as Best Current Practice
This document is the product of the Web Authorization Protocol Working Group.
The IESG contact persons are Paul Wouters, Deb Cooley and R
