IETF rules require a security considerations section. That doesn't mean we can't also incorporate additional security text into each grant section. But having one comprehensive security section makes the other parts easier to read.
EHL From: Brian Eaton [mailto:[email protected]] Sent: Monday, February 21, 2011 9:36 PM To: Eran Hammer-Lahav Cc: Torsten Lodderstedt; OAuth WG Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-security-00 On Sun, Feb 20, 2011 at 3:47 PM, Eran Hammer-Lahav <[email protected]<mailto:[email protected]>> wrote: How do you envision this being incorporated into v2? Just section 5 or the entire document? My two cents: rather than dedicating a single section of the core doc to security considerations, smaller sections should be added to individual profiles. I think the following sections would be useful: User-agent and web-server flow: mostly the same security considerations for these two flows. I think there are subsections here. 1) Authorization server implementation 2) Client implementation Token design: Design and implementation recommendations for refresh tokens and access tokens. Client id, client secret, and assertions: when and how to use client secrets, when and how to use assertions, how to store, etc... Other flows: each of the other flows has separate security considerations. In some cases they are brief, but they pretty much always need to be there. Cheers, Brian
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
