[chair hat off] Hi all,
I believe there are a few changes necessary for draft-ietf-ace-oauth-authz in order to complete it and I am wondering what the rest of the group thinks. 1) We have seen various contributions that want to use the ACE framework for protocols other than CoAP. Still, the framework document focuses on CoAP. I believe we should make it more generic by saying that there are profiles using CoAP and others that don't. There shouldn't be anything wrong with it. 2) There are various references to OSCOAP in the document and I believe they are misleading since the framework does not depend on nor even use OSCOAP. 3) The "Client Token" is somewhat experimental and not on par with the rest of the document in terms of maturity and alignment with OAuth. I would prefer this functionality to be covered in a separate document, if someone still cares about it. While OAuth has seen a lot of formal analysis this feature obviously hasn't. It should be clear from the description that it is underspecified and currently insecure. For example, it is not clear how the AS determines freshness of the authentication request. Thoughts? Ciao Hannes _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
