On 6/2/11 6:48 PM, Brian Eaton wrote: > On Thu, Jun 2, 2011 at 5:08 PM, Peter Saint-Andre <stpe...@stpeter.im > <mailto:stpe...@stpeter.im>> wrote: > > I think the SHOULD we had originally is probably fine -- with the > understanding that "SHOULD" means "you really ought to do this unless > you have a good reason not to". I think one such really good reason > might be a authorization server that doesn't allow unauthenticated > clients (i.e., clients that are not pre-registered or don't have > certificates or whatever). > > > Really? What are you thinking of as "limited duration" credentials for > a desktop application?
I'm not thinking about your use case, but things like enterprise deployments in high-security environments where every person and every software application has a certificate or is otherwise provisioned for authentication with the authorization server. However, I'm not saying we should change or add any text to the spec, because the SHOULD allows such deployments to not issue tokens to clients that are incapable of authenticating. So I don't particularly see a reason to keep discussing the matter. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
