Hi William, Hi John, I just re-read version -8 of the document again.
Two minor remarks only. Editorial issue: Why do you need to introduce a single sub-section within Section 7.1. (namely Section 7.1.1)? Background question: You note that embedded user agents have the disadvantage that the app that hosts the embedded user-agent can access the user's full authentication credential. This is certainly true for password-based authentication mechanisms but I wonder whether this is also true for strong authentication techniques, such as those used by FIDO combined with token binding. Have you looked into more modern authentication techniques as well and their security implication? Ciao Hannes On 03/03/2017 07:39 AM, William Denniss wrote: > Changes: > > – Addresses feedback from the second round of WGLC. > – Reordered security consideration sections to better group related topics. > – Added complete URI examples to each of the 3 redirect types. > – Editorial pass. > > > > On Thu, Mar 2, 2017 at 10:27 PM, <[email protected] > <mailto:[email protected]>> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol of the IETF. > > Title : OAuth 2.0 for Native Apps > Authors : William Denniss > John Bradley > Filename : draft-ietf-oauth-native-apps-08.txt > Pages : 20 > Date : 2017-03-02 > > Abstract: > OAuth 2.0 authorization requests from native apps should only be made > through external user-agents, primarily the user's browser. This > specification details the security and usability reasons why this is > the case, and how native apps and authorization servers can implement > this best practice. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ > <https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/> > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08 > <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-08> > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08 > <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-native-apps-08> > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > <ftp://ftp.ietf.org/internet-drafts/> > > _______________________________________________ > OAuth mailing list > [email protected] <mailto:[email protected]> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
