> -----Original Message----- > From: Torsten Lodderstedt [mailto:tors...@lodderstedt.net] > Sent: Monday, July 25, 2011 7:19 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Issue 16, revised Redirection URI section (3.1.2) > > Hi Eran, > > Am 25.07.2011 03:28, schrieb Eran Hammer-Lahav: > > > >> -----Original Message----- > >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On > >> Behalf Of Torsten Lodderstedt > >> Sent: Wednesday, July 20, 2011 2:15 PM "The authorization server > >> redirects the user-agent to the > >> client's redirection URI previously established with the > >> authorization server during the client registration process." > >> > >> Conflicts with section 3.1.2.3, which allows to pass a redirect_uri > >> via URI query parameter. > > Added 'or when initiating the authorization request' > > > >> 3.1.2.1 Endpoint Confidentiality > >> > >> What does "endpoint" confidentiality mean? Which endpoint does this > >> text refer to? The client's redirect_uri endpoint? > > This is a sub-section of the Redirection URI endpoint. > > ok, but how can an endpoint be confidential?
Good point. I'll change it to 'Endpoint Request Confidentiality'. > >> 3.1.2.5. Endpoint Content > >> > >> As this section discusses security aspects of the client's > >> implementation of the redirect_uri page, shouldn't this go to the > >> security considerations section? > > I think it is important enough to appear earlier. It is part of my effort to > integrate concrete normative language from the security sections up to the > protocol sections. > > > > Understood and in support for this approach. Wouldn't this mean to remove > some text from section 10 in order to prevent redundancies? Which text? Duplication of security text is fine as long as it is consistent. > Regarding this particular section: I think the two different issues (transport > security and endpoint authenticity) should be presented separately. Which section? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
