Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

Thanks all. Justin, please add a comma after the OpenID.Discovery reference. From: Kathleen Moriarty Sent: ‎4/‎24/‎2015 3:02 PM To: Stephen Farrell Cc: Justin Richer;

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

Thank you, both! On Fri, Apr 24, 2015 at 5:32 PM, Stephen Farrell wrote: > > > On 24/04/15 22:27, Justin Richer wrote: > > Stephen, I’ve worked on this this afternoon and this is my proposed text: > > > > The response to such a > >situation is out of scope for this specific

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

On 24/04/15 22:27, Justin Richer wrote: > Stephen, I’ve worked on this this afternoon and this is my proposed text: > > The response to such a >situation is out of scope for this specification but could include >filing a report with the application developer or

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

Stephen, I’ve worked on this this afternoon and this is my proposed text: The response to such a situation is out of scope for this specification but could include filing a report with the application developer or authorization server provider, attempted r

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

On 24/04/15 13:28, Justin Richer wrote: >> > > It can get as bad as the web, which is pretty bad, but I hope we don't > have to point that out in great detail in every RFC that deals with the > web. :) I think the drive-by-download malware example is a good one, and > we could add another concre

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

On 24/04/15 13:30, Justin Richer wrote: >> > > OK, so are you asking for something like: > > "If the server supports an update mechanism such as [Dyn-Reg-Management] > and a discovery mechanism such as [OIDC-Discovery], then a smart client > could use these components to renegotiate undesirable

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

On 4/24/2015 8:24 AM, Stephen Farrell wrote: On 24/04/15 13:20, Justin Richer wrote: Stephen, thanks for the comments. We discussed but decided to stop short of a full back-and-forth multi-trip information negotiation protocol in order to keep things as simple as possible for the simple case

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

I do wonder though if you ought also say a bit about, or point at a reference describing, the possible bad outcomes if one of these URLs goes bad. The new text I think assumes that the developer will get how bad that can be, but I'm not sure if they would or not. It can get as bad as the web, w

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

On 24/04/15 13:20, Justin Richer wrote: > Stephen, thanks for the comments. > > We discussed but decided to stop short of a full back-and-forth > multi-trip information negotiation protocol in order to keep things as > simple as possible for the simple case. The model here is that the > client *

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

Stephen, thanks for the comments. We discussed but decided to stop short of a full back-and-forth multi-trip information negotiation protocol in order to keep things as simple as possible for the simple case. The model here is that the client *requests* a certain set of information in the regi

Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

So this is to follow up on my discuss point#2, which said: (2) If the response (defined in 3.2.1) includes metadata that the server has altered, but that the client doesn't like, then what does the client do? (It may be that that's ok, but I'm not following why that is the case.) I'm also not sur

[OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

Stephen Farrell has entered the following ballot position for draft-ietf-oauth-dyn-reg-28: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http: