On Thu, Jun 2, 2011 at 7:13 PM, Peter Saint-Andre <stpe...@stpeter.im>wrote:
> I'm not thinking about your use case, but things like enterprise > deployments in high-security environments where every person and every > software application has a certificate or is otherwise provisioned for > authentication with the authorization server. > I actually care quite a bit about that use case. =) > However, I'm not saying we should change or add any text to the spec, > because the SHOULD allows such deployments to not issue tokens to > clients that are incapable of authenticating. So I don't particularly > see a reason to keep discussing the matter. OK, I understand the confusion now. I'm going to continue to push for the security considerations to be broken up more cleanly by use case, in part to avoid confusion like this.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
