Thanks for the review and not objectionable ballot, Mirja. I wasn't aware of Alexey's comment until I saw your message here and went to the tracker https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/ballot/ to find it. I think maybe an email got lost somewhere or didn't send or something? Anyway, in an attempt at bringing some continuity to the discussion I've copied his comment here:
"I like this document. Is tracking by authorization server a concern? I suspect on the balance it is less important than restricting token scope (and thus improving security of bearer tokens), but maybe this shoukd be mentioned in the Security Considerations." In all honesty, tracking by authorization server hasn't been a concern in my mind when working on this document because the authorization server is already squarely in the middle of everything and able to track a significant amount even in the absence of what this document describes. And, as you mention, the potential to improve security in an already track-able situation is more important in my mind. With that said, however, I suppose that the resource parameter in this document does, in some circumstances (like when token introspection is not being used), make tracking things at a more granular and specific level possible. And that might warrant a mention in the Security (or Privacy) Considerations. I'm honestly not too sure what exactly that mention would say or how it would say it but I can work on some text. On Wed, Aug 28, 2019 at 6:57 AM Mirja Kühlewind via Datatracker < nore...@ietf.org> wrote: > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I agree with Alexey that it would be good to mention any privacy > implications > of providing this additional information to the auth server in the security > consideration section; maybe also further advising clients on which > resources > to request when. > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
