This is all great, but it is informative text except for a few sprinkled interoperability keywords “for the implementer” (when, apparently, it already has been decided to use this mechanism).
The point, however, is that this specification has a limited area of applicability. Outsourcing security decisions about this to an unwitting user is never the right approach. The assumption that a user will intuitively understand the consequences of disclosure is a tall order. (“Intuitive” is code for “familiar”, and every second five people are born that are not familiar with the consequences.) Beyond the nice discussion, usage of the mechanism needs to be governed by a strong, fully actionable applicability statement. Grüße, Carsten _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
