Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Sat, 20 Feb 2016 02:42:07 -0800 

Suggesting that they be read is of course, the right long-term approach.  But 
as someone who spent 20+ years as a researcher before switching to digital 
identity, I was sensitive to not wanting to upstage their work by copying too 
much of their material into our draft before their publications were widely 
known.  I'll of course commit to working the researchers and the working group 
to create a self-contained concise description of the threats and mitigations 
in the working group document.

                                Cheers,
                                -- Mike

-----Original Message-----
From: Hannes Tschofenig [mailto:hannes.tschofe...@gmx.net] 
Sent: Saturday, February 20, 2016 2:25 AM
To: Mike Jones <michael.jo...@microsoft.com>; William Denniss 
<wdenn...@google.com>; Phil Hunt (IDM) <phil.h...@oracle.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for 
Adoption

Hi Mike,

On 02/20/2016 10:52 AM, Mike Jones wrote:
> Have you read both of their publications?  If not, do yourself a favor 
> and do.  They're actually both very readable and quite informative.

I have read both documents. In context of this discussion the question is 
whether we

(a) require them to be read (in which case they should be a normative 
reference), or
(b) suggest them to be read (since they provide additional background 
information). In this case they are an informative reference.

I believe believe we want (b) for the OAuth WG document. While I encourage 
everyone to read the publications I also believe that there is lots of material 
in there that goes beyond the information our audience typically reads (such as 
the text about the formal analysis).

There is probably also a middle-ground where we either copy relevant text from 
the papers into the draft or reference specific sections that are "must-read".

One other issue: I actually thought that the threat that is outlined in the 
research paper is sufficiently well described but the second threat, which is 
called 'cut-and-paste attack', requires more work.
I noted this in my summary mail to the list, see 
http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html

Ciao
Hannes


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to