> Sent: Tuesday, September 20, 2011 7:12 PM
> To: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2
>
> > If the server issues clients with password credentials it MUST support HTTP
> Basic (this is the flip side of 'the client
This will go into the IETF LC feedback loop.
EHL
> -Original Message-
> From: André DeMarre [mailto:andredema...@gmail.com]
> Sent: Tuesday, September 20, 2011 7:12 PM
> To: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-
Behalf
>> Of André DeMarre
>> Sent: Wednesday, September 14, 2011 5:25 PM
>> To: OAuth WG
>> Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2
>>
>> I agree that stating "Clients in possession of a client password MAY use the
>> HTTP Basic a
a delicate balance. I'm not inclined to
touch it.
EHL
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of André DeMarre
> Sent: Wednesday, September 14, 2011 5:25 PM
> To: OAuth WG
> Subject: Re: [OAUTH-WG] Fwd: secdir re
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/15/2011 10:08 PM, Greg Brail wrote:
> I understand and thanks for clarifying. I agree that there may be services
> that do not want to support HTTP Basic at all for their authorization
> flows and that requiring it would weaken the security of OA
ssage-
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of
André DeMarre
Sent: Wednesday, September 14, 2011 5:25 PM
To: OAuth WG
Subject: Re: [OAUTH-WG] Fwd: secdir review of draft-ietf-oauth-v2
I agree that stating "Clients in possession of a client password MAY
us
I agree that stating "Clients in possession of a client password MAY
use the HTTP Basic authentication scheme" [Section 2.3.1 paragraph 1]
implies that authorization servers MUST support HTTP basic
authentication, but such is never asserted. Instead, it says "The
authorization server MAY accept any
I would like to add my support to the comments below on section 2.3,
specifically 2.3.1.
It is clear to me from reading section 2.3 that clients MAY use HTTP
basic, or they MAY include client_id and client_secret in the request
body -- however, the latter is not recommended.
It is not clear what
FYI, probably best for the WG to see/process these secdir
comments as appropriate. I've not read 'em in detail myself
yet, so as Leif says, feel free to react as appropriate.
S.
PS: Thanks Leif for reviewing this.
Original Message
Subject: secdir review of draft-ietf-oauth-v2