Re: [OAUTH-WG] WGLC for Step-up Authentication

Dear Vittorio, Thankyou for the detailed reply. My follow-on suggestions and recommendations are given below for kind consideration please [The original suggestions can be found here ]: *Item No 1*: Striking at the core of

Re: [OAUTH-WG] WGLC for Step-up Authentication

REQUIRED always means "in the context of the RFC". I fully agree to your statement that 'existing implementations aren't > expected to comply with the new specification'. However, the point I am > making is that we cannot be biased towards OIDC specifications and leave > others non-compliant. We h

Re: [OAUTH-WG] WGLC for Step-up Authentication

Jaimandeep, As Warren pointed out, requirements in this draft are only in the context of the draft itself. They are only applicable to implementations/deployments aiming to conform to the draft, which is completely optional in itself. When making access control decisions, it is not uncommon to fa

Re: [OAUTH-WG] WGLC for Step-up Authentication

Thanks Warren, it's a good reminder about REQUIRED/MUST/etc meaning in the context of the given document. As far as references are concerned. IETF documents can reference non-IETF documents. It's not at all uncommon. And a number of OAuth RFCs and in-progress drafts do already reference OIDC; draf

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

Just want to try and clarify some things about the status of CIBA, which is described somewhat erroneously as a "standard under development." There is a FAPI profile of CIBA that is still under development but core CIBA

Re: [OAUTH-WG] Draft Proposal for a Cross Device Flow Security BCP

And I just happened to notice there are a few mentions of RFC8682 (TinyMT32 Pseudorandom Number Generator) which should probably be RFC8628 (OAuth 2.0 Device Authorization Grant). On Fri, Oct 21, 2022 at 4:06 PM Brian Campbell wrote: > Just want to try and clarify some things about the status of