Roman Danyliw has entered the following ballot position for draft-ietf-oauth-browser-based-apps-24: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Thomas Fossati for the GENART review. Per his feedback, has the WG decided on whether to add this document to BCP212? ** Section 6.1.2.4. The OAuth flow used by this application architecture can be combined with OpenID Connect by including the necessary OpenID Connect scopes in the authorization request (C). Is “OpenID Connect scopes” something can get a reference? ** Section 6.1.3.4. This section has a number of clauses prescribing behavior with a “SHOULD”, but doesn’t provide much context on when or why this behavior might need to be ignore. ** Section 7. As a result, previous recommendations are often no longer recommended and proposed solutions often fall short of meeting the expected security requirements. Whose “recommendations” is this referencing? ** Section 7.2.3.4. Editorial. It is relatively common to use third-party scripts in browser-based applications, such as analytics tools, crash reporting, and even things like a Facebook or Twitter "like" button Consider if the explicit reference to “Facebook or Twitter” will age well, since “Twitter” doesn’t exist by that name anymore. Perhaps “social media ‘like’ button” instead? _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
