+1 for the proposed change Providing context around the change and to clarify that this is not a reaction to some emergency would be useful IMO.
On Mon, Dec 3, 2018 at 1:50 PM Dick Hardt <dick.ha...@gmail.com> wrote: > I disagree. > > Existing deployments that have not mitigated against the concerns with > implicit should be ripped up and updated. > > For example, at one time, I think it was Instagram that had deployed > implicit because it was easier to do. Once the understood the security > implications, they changed the implementation. > > BCPs are rarely a response to a new threat, their are capturing Best > Current Practices so that they become widely deployed. > > > > > On Mon, Dec 3, 2018 at 10:41 AM Brian Campbell <bcampbell= > 40pingidentity....@dmarc.ietf.org> wrote: > >> FWIW I'm somewhat sympathetic to what Vittorio, Dominick, etc. are >> saying here. And that was kind of behind the comment I made, or tired to >> make, about this in Bangkok, which was (more or less) that I don't think >> the WG should be killing implicit outright but rather that it should begin >> to recommend against it. >> >> I'm not exactly sure what that looks like in this document but maybe >> toning down some of the scarier language a bit, favoring SHOULDs vs. MUSTs, >> and including language that helps a reader understand the recommendations >> as being more considerations for new applications/deployments than as a >> mandate to rip up existing ones. >> >> >> >> On Mon, Dec 3, 2018 at 8:39 AM John Bradley <ve7...@ve7jtb.com> wrote: >> >>> >>> We just need to be sensitive to the spin on this. >>> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly >> prohibited... If you have received this communication in error, please >> notify the sender immediately by e-mail and delete the message and any file >> attachments from your computer. Thank you.* >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
