On Wed, May 24, 2017, at 05:17 PM, Brian Campbell wrote: > As far as I can tell, 'NOT RECOMMENDED' is fine per RFC 2119. > > > from https://www.ietf.org/rfc/rfc2119.txt > > > > 4. SHOULD NOT This phrase, *or the phrase "NOT RECOMMENDED"* mean > that there may exist valid reasons in particular circumstances when > the particular behavior is acceptable or even useful, but the full > implications should be understood and the case carefully weighed > before implementing any behavior described with this label. > > And also this errata notes that NOT RECOMMENDED should be in the first > part of the abstract > https://www.rfc-editor.org/errata_search.php?rfc=2119&eid=499 Never mind then!
> > On Wed, May 24, 2017 at 9:27 AM, Alexey Melnikov > <aamelni...@fastmail.fm> wrote:>> Alexey Melnikov has entered the following > ballot position for >> draft-ietf-oauth-native-apps-11: No Objection >> >> When responding, please keep the subject line intact and reply >> to all>> email addresses included in the To and CC lines. (Feel free to >> cut this>> introductory paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/iesg/statement/discuss-criteria.html>> for more >> information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here:>> >> https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ >> >> >> >> ---------------------------------------------------------------- >> ------>> COMMENT: >> ---------------------------------------------------------------- >> ------>> >> A couple of nits: >> >> 8.2. OAuth Implicit Grant Authorization Flow >> >> The OAuth 2.0 implicit grant authorization flow as defined in >> Section 4.2 of OAuth 2.0 [RFC6749] generally works with the >> practice>> of performing the authorization request in the browser, >> and >> receiving >> the authorization response via URI-based inter-app communication.>> >> However, as the Implicit Flow cannot be protected by PKCE >> (which is>> a >> required in Section 8.1), the use of the Implicit Flow with >> native>> apps is NOT RECOMMENDED. >> >> NOT RECOMMENDED is not actually a construct allowed by RFC 2119, >> I think>> you should reword it using "SHOULD NOT". >> >> It would be good to add RFC reference for HTTPS URIs. >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
