Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2012-01-06 Thread Eran Hammer-Lahav
> Sent: Tuesday, September 20, 2011 7:12 PM > To: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2 > > > If the server issues clients with password credentials it MUST support HTTP > Basic (this is the flip side of 'the client

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-20 Thread Eran Hammer-Lahav
This will go into the IETF LC feedback loop. EHL > -Original Message- > From: André DeMarre [mailto:andredema...@gmail.com] > Sent: Tuesday, September 20, 2011 7:12 PM > To: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-20 Thread André DeMarre
Behalf >> Of André DeMarre >> Sent: Wednesday, September 14, 2011 5:25 PM >> To: OAuth WG >> Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2 >> >> I agree that stating "Clients in possession of a client password MAY use the >> HTTP Basic a

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-20 Thread Eran Hammer-Lahav
a delicate balance. I'm not inclined to touch it. EHL > -Original Message- > From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of André DeMarre > Sent: Wednesday, September 14, 2011 5:25 PM > To: OAuth WG > Subject: Re: [OAUTH-WG] Fwd: secdir re

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-15 Thread Leif Johansson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/15/2011 10:08 PM, Greg Brail wrote: > I understand and thanks for clarifying. I agree that there may be services > that do not want to support HTTP Basic at all for their authorization > flows and that requiring it would weaken the security of OA

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-15 Thread Greg Brail
ssage- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of André DeMarre Sent: Wednesday, September 14, 2011 5:25 PM To: OAuth WG Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2 I agree that stating "Clients in possession of a client password MAY us

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-14 Thread André DeMarre
I agree that stating "Clients in possession of a client password MAY use the HTTP Basic authentication scheme" [Section 2.3.1 paragraph 1] implies that authorization servers MUST support HTTP basic authentication, but such is never asserted. Instead, it says "The authorization server MAY accept any

Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-14 Thread Greg Brail
I would like to add my support to the comments below on section 2.3, specifically 2.3.1. It is clear to me from reading section 2.3 that clients MAY use HTTP basic, or they MAY include client_id and client_secret in the request body -- however, the latter is not recommended. It is not clear what

[OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2

2011-09-12 Thread Stephen Farrell
FYI, probably best for the WG to see/process these secdir comments as appropriate. I've not read 'em in detail myself yet, so as Leif says, feel free to react as appropriate. S. PS: Thanks Leif for reviewing this. Original Message Subject: secdir review of draft-ietf-oauth-v2