Paul Wouters has entered the following ballot position for draft-ietf-regext-rdap-openid-25: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-openid/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- This is a fairly minor DISCUSS, but: As described in Section 3.1.4.2, the OAuth 2.0 Implicit Flow [RFC6749] is considered insecure and efforts are being made to deprecate the flow. It SHOULD NOT be used. Any reason why for a new deployment, eg RDAP OpenID support, this could not be a MUST NOT? Why allow something that is considered insecure? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- See also Valery's remarks from this review: https://datatracker.ietf.org/doc/review-ietf-regext-rdap-openid-24-artart-lc-smyslov-2023-08-29/ described in Section 3.1 of the OpenID Connect Core protocol. it is described in Section 3.2 of the OpenID Connect Core protocol. The Hybrid Flow (described in Section 3.3 of the OpenID Connect Core protocol) Can a reference link be provided for these to make it easier on the reader/implementer. Ideally these (and the ones below) could use section specific links, eg: https://openid.net/specs/openid-connect-core-1_0.html#TokenRequestValidation _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
