> -----Original Message----- > From: Paul Wouters via Datatracker <nore...@ietf.org> > Sent: Monday, October 2, 2023 3:14 PM > To: The IESG <i...@ietf.org> > Cc: draft-ietf-regext-rdap-ope...@ietf.org; regext-cha...@ietf.org; > regext@ietf.org; AlBanna, Zaid <zalba...@verisign.com>; AlBanna, Zaid > <zalba...@verisign.com> > Subject: [EXTERNAL] Paul Wouters' Discuss on draft-ietf-regext-rdap-openid- > 25: (with DISCUSS and COMMENT) > > Caution: This email originated from outside the organization. Do not click > links > or open attachments unless you recognize the sender and know the content > is safe. > > Paul Wouters has entered the following ballot position for > draft-ietf-regext-rdap-openid-25: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this > introductory > paragraph, however.) > > > Please refer to https://secure-web.cisco.com/1OiOQKi2bDE1RSZuXw- > T4KCDe7-tGex7q0C1-3qRKytwLo7vpRj-AJFBUvJPepgDu- > MfaiuYPVJmkZ2oK497vIMqcdUj519_EsoCsB8FWo9JWCdnqDEemqR5yBLtGJi > QgbkiOsCo9YmsF-kO2wzsIl3yyfYkqWMOH1ked- > _4oGz_m5dOjGfPIsgs4pnyw81gmkr7fypEiLiF9v6mHbbUlVMiM2thx7E4gSlpF0 > gtm6- > yQd7yy1JiZUr0uoLckt_CP7cIFSHiIvGe31HspAufMMnQuHkUQJsTgeyegt4MlO > cWFx3w1llHzsEkeYVqoCjL0/https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgro > ups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F > for more information about how to handle DISCUSS and COMMENT > positions. > > > The document, along with other ballot positions, can be found here: > https://secure-web.cisco.com/1yfPDsX14VS97-x3WaVltieeSxL3N9- > 1T7HeCLCUlYCjQrlHa4hJ49AqRUYWMDQ6xwFpUL7kMLwkrlHPLZmRxfC5nthU > EqVsHZXSh2aHCbfeSyLTuXsU5SO0mPYR5PLzV-nITvsW0zFu8- > 5vGaFTmt6XtmdYkL1gR0ko17uhpySe1fyzSg1AXpGDiFtegl3IajnCkw155AXjaU > WvS- > xMjMMKkh8_K0c5VnLYZsR31tj9SSaHPkG2yt4QANEfQzF3wo5gSLLgPp_4rOZ > OwJ2AcaYjD1urEmSEwwHYAjceT3KzXh68rPaUN4SiO0IWBaAB- > /https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-regext-rdap- > openid%2F > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This is a fairly minor DISCUSS, but: > > As described in Section 3.1.4.2, the OAuth 2.0 Implicit Flow > [RFC6749] is considered insecure and efforts are being made to > deprecate the flow. It SHOULD NOT be used. > > Any reason why for a new deployment, eg RDAP OpenID support, this could > not be a MUST NOT? Why allow something that is considered insecure?
[SAH] Thanks for the feedback! Sure, that makes sense. We can change that to MUST NOT. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > See also Valery's remarks from this review: > https://secure- > web.cisco.com/1PI238nGpmQO3BgoEvgIfVFWsn6Pt9MKjSLi6mkJfG4qVQ2vX > 6CJDgASztAw6fbq0KbUY9Tr33aFDja1oO_bt12Xfr2jjU_H_Tm2wAO1QK7a1JKT > SxMDCE5wtWY4OozIYXCewA_artKH6dD_RlNaf2bkzD8rINtnMfVR22RQcmoX > U8PdeJ_bg3TAd3Jh9MYoX7l_wx08NkmyR_C- > dx1SDjMXYonoNIg8cqKhgVdaoE3IHhfnvRd6GpEu6mrVccysqLrC3Mp8pLPLMF > olnk_GeMBhLTdXiX7g9Iv6ORSWClpjksMyJnwI4_D4a3zFgRwmK/https%3A%2 > F%2Fdatatracker.ietf.org%2Fdoc%2Freview-ietf-regext-rdap-openid-24- > artart-lc-smyslov-2023-08-29%2F [SAH] Valery's feedback was addressed in version -25. > described in Section 3.1 of the OpenID Connect Core protocol. > > it is described in Section 3.2 of the OpenID Connect Core protocol. > > The Hybrid Flow (described in Section 3.3 of the OpenID Connect Core > protocol) > > Can a reference link be provided for these to make it easier on the > reader/implementer. Ideally these (and the ones below) could use section > specific links, eg: > https://secure- > web.cisco.com/1VX5Briiu_dl8t7xWAjNuQpbWYxGIsNIDOhNx7lwo5oY8mydz > XxIeOwPdgEM1hDCmakkDltPe4H7Q0H3jC9vNXqwGSmoHnBlNffKdqMiL68ZI > 2SrtrUuFDbyVQiA80gtsFSs9ab85s7pSf9sWHXCf2fMmrvUTtF8H9kZiVrySdVh9 > 7EHRLj6Ai7CjcRoRRKXPWR3vjScp3RBRWiLJ7NYR- > c7YS8PMKByYj2sGu4Rb5lxVIWqi0NUOQHNmhWUuBSHxikQM3e3gLFvQASlfp > su4xrPkNCwlZFDBSejjU2NXxIIVWvoClPAXMn_JS- > sflolM/https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core- > 1_0.html%23TokenRequestValidation [SAH] Sure, I can see what <eref> markup does in both the text and HTML versions of the draft to make it easier to access those sections of the specifications. Scott _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
