Accepting draft-jones-oauth-amr-values-03 is almost okay as a starting point for work. I would like to see significant changes though:
* The "amr_values" parameter should be dropped; it just encourages brittle designs as section 4 "relationship to acr" and section 6 "security considerations" already warn about. There is no need to enable that brittleness. If someone really wants this functionality they could put an amr value in the "acr_values" field as a hack. * The model for amr_values is wrong as well. For example, "amr":["pwd","otp"] could be a common response that you want, but you cannot ask for that with amr_values since amr_values="pwd otp" actually means just "pwd", or just "otp" is okay (and just "pwd" is your preference). * Registering values on a "Specification Required" basis is over-the-top. This doc registers 8 amr values with just a few words as each value's "specification" (eg "eye": retina scan biometric). Each of the other 7 amr values are "specified" in a few lines with a reference (or two). A "First Come First Served" basis is probably sufficient, with the "specification" just the description in the registry (that can include references). -- James Manger -----Original Message----- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Tuesday, 19 January 2016 10:48 PM To: oauth@ietf.org Subject: [OAUTH-WG] Call for Adoption: Authentication Method Reference Values Hi all, this is the call for adoption of Authentication Method Reference Values, see https://tools.ietf.org/html/draft-jones-oauth-amr-values-03 Please let us know by Feb 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Note: The feedback during the Yokohama meeting was inconclusive, namely 9 for / zero against / 6 persons need more information. You feedback will therefore be important to find out whether we should do this work in the OAuth working group. Ciao Hannes & Derek _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
