Replying to Rifaat's e-mail but not replying to him specifically.
Hi folks,
I don't think the question of whether OAuth is a good or bad WG group is
really a productive one in general, and it's especially hard for me to see
how it's going to let us make progress on questions of DEI. This seems li
CCing the WG because I was wrong about the aliases.
-- Forwarded message -
From: Eric Rescorla
Date: Sun, Aug 26, 2018 at 2:02 PM
Subject: AD Review of draft-ietf-oauth-jwt-bcp
To: oauth
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D4649
COMMENTS
On Mon, Nov 5, 2018 at 12:39 AM Mike Jones
wrote:
> Hi Eric. Thanks again for your review.
> https://github.com/yaronf/I-D/pull/24 is intended to address your review
> comments. Text changes made to address each of your comments are listed
> below.
>
>
>
> *From:* OAu
Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D4649
COMMENTS
S 1.2.
> 1.2. Conventions used in this document
>
> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
>
t; https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-14
>
> htmlized:
> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-14
>
>
> On Fri, Jun 1, 2018 at 10:02 PM, Eric Rescorla wrote:
>
>> OK, well, it seems like it ought to say that that generator of
trator taking override type corrective
> action on an end-user's account or transaction information (A is the
> end-user and C is the customer service rep) that the user on their own
> wouldn't have permission to change.
>
> On Fri, Jun 1, 2018 at 3:47 PM, Eric Rescorla w
quot;:"B"
> }
> }
> }
>
>
> Would some text explicitly saying that only the token subject (top level
> sub and claims) and the party identified by the outermost "act" claim (the
> current actor) are to be considered in access control d
>> >>> be anything more. And don't think it should be.
>> >>>
>> >>> There are two main expected uses of the actor claim (that I'm aware
>> >>> of
>> >>> anyway) that describing here might help. Maybe. One is a human to
ng London.
>
>
>
> -- Mike
>
>
>
> *From:* Eric Rescorla
> *Sent:* Friday, April 13, 2018 7:37 PM
> *To:* Mike Jones
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08
>
>
>
> Thanks for t
London.
>
>
>
>-- Mike
>
>
>
> *From:* OAuth *On Behalf Of * Eric Rescorla
> *Sent:* Friday, April 13, 2018 6:00 PM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Follow up on draft-ietf-oauth-device-flow-08
>
>
>
> Hi folks,
>
>
>
>
Hi folks,
I just looked at the -08 diffs and I see a new section on brute forcing the
token
but not describing the confused deputy attack. Did I miss something, or
were you
still planning to add more text?
Thanks
-Ekr
___
OAuth mailing list
OAuth@ietf.o
Hi folks,
I've gone over draft-ietf-oauth-token-exchange-12 and things seem
generally OK. I do still have one remaining concern, which is about
the actor claim. Specifically, what is the RP supposed to do when they
encounter it? This seems kind of underspecified.
In particular:
1. What facts am
Full-featured review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D4278
As noted in inline comments, some additional words about the security model
in which this document is embedded seem like they are needed. In
particular, it's pretty unclear to me what checks the STS is supposed to do
on a giv
-- Mike
>
> -Original Message-
> From: Mike Jones
> Sent: Tuesday, September 5, 2017 4:12 PM
> To: 'Eric Rescorla' ; oauth@ietf.org
> Subject: RE: [OAUTH-WG] AD Review: draft-ietf-oauth-discovery-06
>
> Thanks for your useful review, E
Hi folks,
Note: the original of this review is on Phabricator at:
https://mozphab-ietf.devsvcdev.mozaws.net/D7
If you want to see comments in context, you can go there. Also,
you can create an account and respond inline if you like.
If you elect to, let me know if you run into problems.
-Ekr
Eric Rescorla has entered the following ballot position for
draft-ietf-oauth-native-apps-11: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer
16 matches
Mail list logo
