OpenID Connect is the intellectual property of the OpenID Foundation and it is
discussed there.
— Justin
> On Feb 6, 2017, at 7:30 AM, Denis wrote:
>
>
> The scope of this draft is unclear. The title states: "OAuth Security Topics".
> I have some questions:
> Does this document intend to cov
Thanks Joel,
-11 only contains the fixes to the comments received by Jan. 17. I am now
applying all the edits needed for the comments received after that.
The next version will fix the problem you have pointed out.
Best,
Nat
On Fri, Feb 3, 2017 at 8:03 AM Joel Halpern wrote:
> Reviewer: Joel
Thanks Denis. Here is my proposed disposition on your comments.
On Fri, Feb 3, 2017 at 8:11 PM Denis wrote:
> *Comments on I-D Action: draft-ietf-oauth-jwsreq-11.txt*
>
>
>
> Two editorial comments first :
>
>
>
> 1. Guidance is a mass noun, not a count noun, plural doesn't make sense.
> Please
The scope of this draft is unclear. The title states: "OAuth Security
Topics".**
I have some questions:
* Does this document intend to cover only the OAuth 2.0 delegation
protocol (since Justin said that OAuth 2.0 is a delegation protocol)
or OpenId Connect as well which is not limited
A belated +1
On Sat, Feb 4, 2017, 9:08 AM Jim Manico wrote:
> I'm just some random idiot am an not in this working group but the work
> from
> https://tools.ietf.org/html/draft-lodderstedt-oauth-security-topics-00 is
> one of the most up to date and useful OAuth security resources every
> publis
Justin,
You said :
"Sharing bearer tokens is a well known attack surface and *there's
really no way to stop that*.
Even PoP-style tokens can be shared since nothing stops Bob and Alice
from sharing their secrets with each other".
You also said:
"There's literally *nothing in the world tha
Justin,
First of all, thank you for your detailed responses.
Since you said: "don't bring up issues you have with the book", let us
forget about the book ... but not about the topics that have been raised.
You said: " This is the model of OAuth: it's a delegation protocol,
delegating from a
