Almost done with -17.
I have sent a few emails to the list with open questions and requests. I will
include as many of the replies as I can before publishing tomorrow or Saturday.
My remaining task is to try and move as much of the normative text (MUST,
SHOULD) out of the security consideration section and into the relevant
sections where the actual component is discussed. I also need to review all the
normative language and make sure it is consistent (found a few MUST in one spot
and SHOULD in another).
Changes not discussed fully on the list are marked with [[ Pending Consensus ]].
EHL
> -----Original Message-----
> From: Eran Hammer-Lahav
> Sent: Thursday, July 07, 2011 1:01 AM
> To: OAuth WG
> Subject: RE: Timely review request: pre-draft-17
>
> I finished the major part of -17, adding a new Client registration section and
> folding client authentication into it. This new text attempts to directly
> address:
>
> * client authentication requirements
> * define client types with regard to keeping secrets
> * set registration requirements
> * properly explain client identifier
> * replace client credentials with a more generic client authentication (in
> terms used throughout the document)
> * provide a comprehensive discussion of redirection URIs (this is where the
> few normative changes are)
> * tweak the implicit and authorization code intros to better reflect reality
> ('optimized for')
> * separate client identifier from client authentication (keep binding
> requirement)
>
> Normative changes (this should be verified):
>
> * require client authentication for private clients (previously implied)
> * require redirection endpoint registration for implicit grant and all for
> public
> clients requests
> * remove client_id as a required parameter from the token endpoint (now
> back to being part of the client_secret pair)
>
> The draft includes other changes like new error codes, but I'll list those
> when
> the draft is published. I still have about 32 more items on my list to apply
> before publishing, but the major changes are done.
>
> You can always find the latest here:
>
> https://github.com/hueniverse/draft-ietf-oauth
>
> Early review of the following sections would be GREALY appreciated:
>
> 2. Client Registration
> 2.1. Client Types
> 2.2. Registration Requirements
> 2.3. Client Identifier
> 2.4. Client Authentication
> 2.4.1. Client Password
> 2.4.2. Other Authentication Methods
> 2.5. Unregistered Clients
>
> 3.1.2. Redirection URI
>
> 3.2.1. Client Authentication
>
> -17 will be published by Friday at which point I will leave it to the chairs
> to
> decide if they still want to initiate WGLC or give the draft a few days of
> informal review.
>
> EHL
>
>
> > -----Original Message-----
> > From: Eran Hammer-Lahav
> > Sent: Monday, July 04, 2011 10:09 PM
> > To: OAuth WG
> > Subject: Timely review request: pre-draft-17
> >
> > I have started sharing my planned changes for 17:
> >
> > https://github.com/hueniverse/draft-ietf-oauth
> >
> > Change log:
> >
> > https://github.com/hueniverse/draft-ietf-
> > oauth/commit/24a48f99c204331264028
> > f66708427961a1bc102#diff-3
> >
> >
> > My main focus right now is to clarify client types, registration, and
> > identification, as well as tweak the registration requirements for
> > redirection URIs. This is still very raw. However, I would very much
> > like to get feedback about the following sections:
> >
> > 1.1.1. Client Types
> > 1.2. Client Registration
> >
> > 2.1.1. Redirection URI
> >
> >
> > In section 2.1.1, please note that it includes many new normative
> > requirements, but in practice, they mostly boil down to the
> > requirement to register a redirection URI for using the implicit grant
> > type as well as using the authorization code with a public client (new
> > term for describing client incapable of keeping secrets).
> >
> > I have turned the spec around, making registered redirection URIs the
> > default, and using the parameter as an optional feature.
> >
> > Feedback is very much appreciated as we only have a few more days
> > before I have to push out -17 and would like a few more eyes looking
> > at the new text before published.
> >
> > I am still not ready to share changes to section 3. Also, I have a
> > long list of additional changes raised on the list.
> >
> > Thanks,
> >
> > EHL
> >
> >
> >
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
