Hello, I would like to point out that the issuer verifier problem still remains open, even given the text in 11.
The text is directionally wrong. It discusses how the issuer and verifier must be trusted, not what they can do together, and than only says that deployers must be aware and educate users. There's nothing actionable here, and user education doesn't work. Users cannot make security decisions of this nature, as we know from decades and decades of experience. Can we please get text that informs our readers what the issue is and what the risks are? Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
