Mike, On 7 Sep 2011, at 21:17, Michael Thomas wrote:
> On 09/07/2011 12:56 PM, Kristoph wrote: >> Mike, >> >> I am an implementer of this specification. I am struggling to understand >> what it is you are trying to communicate. >> >> The only thing I can discern is that you believe there is a large cadre of >> software architects / developers who you think have the skill to read and >> understand this specification, design and implement an OAuth 2.0 server, and >> yet not understand that a rogue embedded UA would compromise the end users >> credentials. Is that basically your concern? >> > > I think that the fine point of a rogue embedded UA will be lost on > people, yes. Especially those who are specing out the higher level > authentication service deployment. I've been observing this thread as well as the OAuth mailing list without participating for some time and I think what you write above gets to the heart of the matter. I have some sympathy for the issue you are trying to raise but it is a common issue across many security protocols and the document to discuss it in is not the protocol specification which (IME in IETF) is typically focussed on how to implement (inter-operably) the protocol itself, not on best practices for deploying an implementation of the protocol. IMO articulating the concerns you have are best placed either in the "threats" document (which I will admit I have not read) or a separate informational document (or possibly a BCP if there is sufficient deployment experience). Your original e-mail that started this thread was not targeted at a specific document and my interpretation is that some of the hostility you have experienced is due to a frustration that your request is seen as a potential obstacle to getting the protocol specification out the door because the issue you want to discuss is not directly related to how a developer might implement the protocol. If I may be so bold, could I suggest that you propose some text that articulates the issue that you would like to see documented and then the group can assess that text on its merits and try to reach consensus on which document, if any, it is best placed to reside within. At the risk of offending you or others, I would suggest that if you're not willing to propose text for whatever reason then I'd suggest we put an end to this thread as it is reminding me of this Dilbert cartoon: http://www.dilbert.com/2010-12-22/ Regards Ben _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
