On the call people wanted me to clarify what I meant when I talked about operational security. In a nutshell, I mean:
- what systems and what people have access to long-lived secrets? Keep this to a reasonable level, where reasonable is defined by different use cases. - what systems and what people have access to shorter-lived secrets? Repeat above caveat about reasonable protection. - how are those secrets protected? Repeat above caveat about reasonable protection. - deal with practical considerations of systems that people really build. Issues like latency, scalability, functionality, and complexity impact all of the above. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
