Hi Mike, On 02/20/2016 10:52 AM, Mike Jones wrote: > Have you read both of their publications? If not, do yourself a > favor and do. They're actually both very readable and quite > informative.
I have read both documents. In context of this discussion the question is whether we (a) require them to be read (in which case they should be a normative reference), or (b) suggest them to be read (since they provide additional background information). In this case they are an informative reference. I believe believe we want (b) for the OAuth WG document. While I encourage everyone to read the publications I also believe that there is lots of material in there that goes beyond the information our audience typically reads (such as the text about the formal analysis). There is probably also a middle-ground where we either copy relevant text from the papers into the draft or reference specific sections that are "must-read". One other issue: I actually thought that the threat that is outlined in the research paper is sufficiently well described but the second threat, which is called 'cut-and-paste attack', requires more work. I noted this in my summary mail to the list, see http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
