I still don’t find it useful. I think the existing text overall makes this point already.
EHL From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] Sent: Wednesday, July 06, 2011 12:48 AM To: Eran Hammer-Lahav; OAuth WG Subject: Re: Section 10.1 (Client authentication) Hi Eran, I would suggest to change it to SHOULD and add a reference to https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00 sections 3.7 and 5.2.3. regards, Torsten. Eran Hammer-Lahav <e...@hueniverse.com<mailto:e...@hueniverse.com>> schrieb: It's a pointless MUST given how undefined the requirements are. It will only be understood by security experts and they don't really need it. At a minimum, it needs some examples. EHL From: Torsten Lodderstedt <tors...@lodderstedt.net<mailto:tors...@lodderstedt.net>> Date: Wed, 1 Jun 2011 00:53:37 -0700 To: Eran Hammer-lahav <e...@hueniverse.com<mailto:e...@hueniverse.com>>, OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: Section 10.1 (Client authentication) Hi Eran, would you please add the following sentence (which was contained in the original security considerations text) to the second paragraph of section 1.0.1? Alternatively, authorization servers MUST utilize other means than client authentication to achieve their security objectives. I think it's important to state that authorization server should consider alternative way to validate the client identity if secrets cannot be used. The security threat document also suggest some. regards, Torsten.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
