seems you are contradicting yourself. You criticised the MUST and suggested to include some examples. I bought into your argument and suggested to refer to the security doc for examples and additional explanations. That's what this document is intended for, to provide background beyond what we can cover in the core spec.
And I don't think the spec already makes that point. But you are free to refer me to the respective text. regards, Torsten. Eran Hammer-Lahav <e...@hueniverse.com> schrieb: >I still don’t find it useful. I think the existing text overall makes >this point already. > >EHL > >From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] >Sent: Wednesday, July 06, 2011 12:48 AM >To: Eran Hammer-Lahav; OAuth WG >Subject: Re: Section 10.1 (Client authentication) > >Hi Eran, > >I would suggest to change it to SHOULD and add a reference to >https://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00 sections >3.7 and 5.2.3. > >regards, >Torsten. > > >Eran Hammer-Lahav <e...@hueniverse.com<mailto:e...@hueniverse.com>> >schrieb: >It's a pointless MUST given how undefined the requirements are. It will >only be understood by security experts and they don't really need it. >At a minimum, it needs some examples. > >EHL > >From: Torsten Lodderstedt ><tors...@lodderstedt.net<mailto:tors...@lodderstedt.net>> >Date: Wed, 1 Jun 2011 00:53:37 -0700 >To: Eran Hammer-lahav ><e...@hueniverse.com<mailto:e...@hueniverse.com>>, OAuth WG ><oauth@ietf.org<mailto:oauth@ietf.org>> >Subject: Section 10.1 (Client authentication) > >Hi Eran, > >would you please add the following sentence (which was contained in the >original security considerations text) to the second paragraph of >section 1.0.1? > >Alternatively, authorization servers MUST utilize > other means than client authentication to achieve their security > objectives. > > >I think it's important to state that authorization server should >consider alternative way to validate the client identity if secrets >cannot be used. The security threat document also suggest some. > >regards, >Torsten. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
