Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Just a quick reply to two of your remarks: On 02/20/2016 09:49 AM, William Denniss wrote: > The security researcher documents are only informative references I think they should be informative references since the motivate the reason for doing the work but there is nothing in these publications t

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

We can and will bring more of the threat descriptions into the full document. For what it's worth, in the initial versions we referenced the German researcher's threat descriptions but intentionally didn't try to repeat them in detail in the spec, so that people would read their research public

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Hi Mike, On 02/20/2016 10:52 AM, Mike Jones wrote: > Have you read both of their publications? If not, do yourself a > favor and do. They're actually both very readable and quite > informative. I have read both documents. In context of this discussion the question is whether we (a) require the

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Suggesting that they be read is of course, the right long-term approach. But as someone who spent 20+ years as a researcher before switching to digital identity, I was sensitive to not wanting to upstage their work by copying too much of their material into our draft before their publications w

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Inline > On Feb 20, 2016, at 9:49 AM, William Denniss wrote: > > Maybe it's because I wasn't at the Darmstadt meeting so I don't have the full > context, but I don't find draft A > to be > all that clear. Here's my review fee