Hi Eran,
I would suggest to change it to SHOULD and add a reference to
https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00 sections 3.7 and
5.2.3.
regards,
Torsten.
Eran Hammer-Lahav <e...@hueniverse.com> schrieb:
It's a pointless MUST given how undefined the requirements are. It will only be
understood by security experts and they don't really need it. At a minimum, it
needs some examples.
EHL
From: Torsten Lodderstedt <tors...@lodderstedt.net>
Date: Wed, 1 Jun 2011 00:53:37 -0700
To: Eran Hammer-lahav <e...@hueniverse.com>, OAuth WG <oauth@ietf.org>
Subject: Section 10.1 (Client authentication)
Hi Eran,
would you please add the following sentence (which was contained in the
original security considerations text) to the second paragraph of
section 1.0.1?
Alternatively, authorization servers MUST utilize
other means than client authentication to achieve their security
objectives.
I think it's important to state that authorization server should
consider alternative way to validate the client identity if secrets
cannot be used. The security threat document also suggest some.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
