Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

Telekom AG, Technology Enabling Platforms (PI-TEP) Von: William Denniss [mailto:wdenn...@google.com] Gesendet: Freitag, 3. März 2017 03:13 An: Ebling, Sebastian Cc: oauth@ietf.org<mailto:oauth@ietf.org> Betreff: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07 The Android Account Manager

Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

Thanks Denis! On Fri, Mar 3, 2017 at 7:37 AM, William Denniss wrote: > Thanks all for the great discussion. I tweaked the discussion on > public/confidential clients to rely more on the OAuth2 definition (it was a > bit duplicative), and I reordered the security considerations so it flows > bett

Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

Thanks for the replies. If there are no formal guidelines from IETF I think we should just proceed it is a good and informative spec, it was just to me it felt slightly of. Based on the conversation I have no objections taking this draft to RFC. //Samuel On Wed, Feb 22, 2017 at 12:09 AM, Justin

[OAUTH-WG] review draft-ietf-oauth-native-apps-07

Hi all, I have a question that relates to section B.2. Android Implementation Details. I understand this as a working group best practice. Unfortunately this does not necessarily meet the Google instruction for Android. There is a lot of documentation out there pointing to the Android Account M

[OAUTH-WG] review draft-ietf-oauth-native-apps-07

Hi, there is a typo in B.4. Search for "are are" and replace it with "are". Best regards Sebastian -- Sebastian Ebling / sebastian.ebl...@telekom.de / +49 6151 5838207 Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP) ___ OAuth mailing li

Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

When I brought RFCs 7591, 7592, and 7662 up through the finalization process, I learned that there are two camps out there on normative requirements in the security considerations section. Some like them, as long as they don’t contradict requirements/advice in previous sections, and some don’t l

Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07

I *don't thin**k* it's normal to have normative text in the Security Considerations, hence I support Samuel's position. Let us look at the first MUST from RFC 6749 in the Security Considerations section: The authorization server*_MUST_ *authenticate the client_*whenever possible*_. Thi

[OAUTH-WG] review draft-ietf-oauth-native-apps-07

Hi, I just had a question on best practice. In this document a large part of the normative text is located under Security Considerations. I had previously seen Security Considerations as things to think about when implementing not so much as MUSTs and MUST NOTs. I think it is okay to have it thi