Hi Torsten,
On 11/02/2011 07:45 PM, Torsten Lodderstedt wrote:
Hi Stephen,
I'm concerned about your proposal (7) to make support for MAC a MUST for
clients and BEARER a MAY only. In my opinion, this does not reflect the
group's consensus.
That wasn't quite my comment, which is below:
(7) Doesn't 7.1 need to say which token types are MTI so that we
get interop? I think I'd like to see mac being a MUST and bearer
being a MAY but regardless of my preference, I don't think you
can be silent on this. And as a consequence one or both of
the mac/bearer drafts need to end up as normative.
> Beside this, the security threat analysis justifies
usage of BEARER for nearly all use cases as long as HTTPS (incl. server
authentication) can be utilized.
As I said, I personally prefer the mac scheme since it demonstrates
use of a key. However, as I also said, the main concern with this
point is interop. (I do note though that bearer has server-auth TLS
as a MUST USE, so the implication of making bearer a MUST is that
TLS is MTI for the base spec too and a MUST USE for anything
involving the MTI token type.)
In any case I can live with it so long as the set of things that
are MTI is clear.
Incidentally, I don't believe any amount of +1 messages to your
mail answer my point above. As Eran's mail asks: what is it
that you're suggesting be MTI for whom?
S.
regards,
Torsten.
Am 13.10.2011 19:13, schrieb Stephen Farrell:
Hi all,
Sorry for having been quite slow with this, but I had a bunch
of travel recently.
Anyway, my AD comments on -22 are attached. I think that the
first list has the ones that need some change before we push
this out for IETF LC, there might or might not be something
to change as a result of the 2nd list of questions and the
rest are really nits can be handled either now or later.
Thanks for all your work on this so far - its nearly there
IMO and we should be able to get the IETF LC started once
these few things are dealt with.
Cheers,
S.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
