Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-security-00

Wed, 23 Feb 2011 11:14:07 -0800

I would tend to add section 5 as security considerations section to the core draft expanded by descriptions of relevant (generic) threats.
We could also add parts of the flow-specific threat model descriptions into to flow-specific sections of the core draft and link them to the security considerations sections. 


@Brian: where would you place the discussion of the design alternatives? 
Our document has them before the threat model.


regards,
Torsten.

Am 22.02.2011 19:40, schrieb Eran Hammer-Lahav:



IETF rules require a security considerations section. That doesn't 
mean we can't also incorporate additional security text into each 
grant section. But having one comprehensive security section makes the 
other parts easier to read


EHL

*From:*Brian Eaton [mailto:bea...@google.com]
*Sent:* Monday, February 21, 2011 9:36 PM
*To:* Eran Hammer-Lahav
*Cc:* Torsten Lodderstedt; OAuth WG

*Subject:* Re: [OAUTH-WG] Fwd: New Version Notification for 
draft-lodderstedt-oauth-security-00



On Sun, Feb 20, 2011 at 3:47 PM, Eran Hammer-Lahav 
<e...@hueniverse.com <mailto:e...@hueniverse.com>> wrote:


    How do you envision this being incorporated into v2? Just section
    5 or the entire document?


My two cents: rather than dedicating a single section of the core doc 
to security considerations, smaller sections should be added to 
individual profiles.  I think the following sections would be useful:



User-agent and web-server flow: mostly the same security 
considerations for these two flows.  I think there are subsections here.


   1) Authorization server implementation

   2) Client implementation


Token design: Design and implementation recommendations for refresh 
tokens and access tokens.



Client id, client secret, and assertions: when and how to use client 
secrets, when and how to use assertions, how to store, etc...



Other flows: each of the other flows has separate security 
considerations.  In some cases they are brief, but they pretty much 
always need to be there.


Cheers,

Brian


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to